Cybercriminals are exploiting Google Tag Manager (GTM) to distribute malware designed to steal payment card data from online stores operating on the Magento platform. According to Sucuri, the malicious code is disguised as Google Analytics scripts and advertising tags but harbors a concealed backdoor functionality, enabling attackers to maintain persistent access to compromised websites.
It has been discovered that the infected sites utilize the GTM identifier GTM-MLHK2N68. Initially, six sites were affected, but the number later declined to three. Typically, GTM containers house various analytics and advertising scripts that trigger under specific conditions. However, in this case, the attackers embedded malicious JavaScript within them, sourcing it from the “cms_block.content” table in the Magento database. This code functions as a skimmer, intercepting user data on payment pages.
The malicious script captures users’ entered payment card details and transmits them to a server under the attackers’ control. Sucuri experts note that this attack method has been observed before. In 2018, cybercriminals leveraged GTM for malicious advertising campaigns that redirected users to fraudulent websites.
Such attacks underscore the vulnerability of legitimate web analytics tools when their security is not properly monitored. The exploitation of GTM as a malware delivery mechanism highlights how cybercriminals continuously adapt to security measures, devising new techniques to compromise web resources by targeting trusted services.
Security experts advise online store owners to conduct regular audits of their GTM containers and databases for suspicious scripts while reinforcing administrator account security.
