Sucuri researchers observed threat actors leveraging Google Tag Manager (GTM) to install e-skimmer software on Magento-based e-stores.
Sucuri researchers found threat actors using Google Tag Manager (GTM) to deploy e-skimmer malware on a Magento eCommerce site.
Google Tag Manager (GTM) is a free tool that lets website owners manage marketing tags without modifying site code, simplifying analytics and ad tracking.
Sucuri inspected the website and discovered the malicious code hidden in a website’s database (cms_block.content), disguised as a Google Tag Manager and Google Analytics script to evade detection.
This isn’t the first time that Sucuri documented the use of GTM to deploy e-skimmer on e-store, in 2024, the experts detailed how Magecart veteran ATMZOW was using Google Tag Manager to deliver malware. The researchers pointed out that the tactic is still being used by threat actors in the wild.
At the time of the report publishing, three sites were infected with the GTM identifier (GTM-MLHK2N68), down from six reported by Sucuri.
“Within the GTM tag, there was an encoded JavaScript payload that acted as a credit card skimmer. This script was designed to collect sensitive data entered by users during the checkout process and send it to a remote server controlled by the attackers.” states Sucuri “Once executed, the malware would steal credit card information from the checkout pages and send it to an external server.”
The _0x5cdc function obfuscates code by mapping index values to characters and using mathematical operations. Attackers use Base64 encoding to disguise malicious scripts.
The script injects a modified Google Analytics script to execute a hidden credit card skimmer, which exfiltrates payment data to an attacker’s server.
“This GTM-based attack demonstrates the sophistication of modern malware, utilizing legitimate platforms like Google Tag Manager to deploy malicious code.” Sucuri concludes. “The obfuscation and encoding techniques make it particularly challenging to detect, requiring deep investigation to uncover its true purpose.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Magento)
