Online stores working on the Magento platform are being targeted by attackers using Google Tag Manager (GTM) to spread malware aimed at stealing data, as reported by SUCURI. The malicious code, disguised as Google Analytics and advertising tags, contains hidden backdoor functionality that allows hackers to maintain access to compromised sites.
The infected sites were identified to be using the GTM-identifier GTM-MLHK2N68. Initially, there were six affected sites, but the number has since been reduced to three. GTM containers typically include various analytical and advertising codes that operate under specific conditions. However, in this case, attackers embedded malicious JavaScript loaded from the Magento database table “CMS_Block.Content” into the containers. This script acts as a skimmer, capturing user data on payment pages.
The skimming script records users’ bank card details and sends them to a server controlled by the attackers. This type of attack is not new, as similar tactics utilizing GTM were employed by hackers in 2018 for malicious advertising purposes, redirecting users to fraudulent websites.
This incident highlights the vulnerability of legitimate web analytics tools when not properly secured. The use of GTM as a delivery mechanism for malicious code underscores the adaptability of attackers and their ability to exploit trusted services for compromising web resources.
Security experts recommend that online store owners regularly review the contents of their GTM containers and databases for any suspicious scripts. Additionally, enhancing administrator protection measures is crucial to prevent unauthorized access and potential data breaches.