In a concerning development, cybercriminals have found a way to exploit Google Tag Manager (GTM) to inject malicious scripts into Magento-based eCommerce platforms, enabling the theft of customers’ credit card information during the checkout process. This sophisticated attack involves embedding obfuscated code within GTM containers, which, when activated, captures sensitive payment data and transmits it to servers under the attackers’ control.

The Attack Vector: Google Tag Manager

Google Tag Manager is a widely used tool that allows website administrators to manage and deploy marketing and analytics tags without modifying the site’s code directly. However, this convenience also presents a potential security risk. Researchers have identified that attackers can compromise GTM by injecting malicious scripts that are difficult to detect due to their obfuscated nature. Once these scripts are in place, they can monitor and record keystrokes or form submissions on checkout pages, capturing credit card details and other personal information.

Case Study: Magento-Based eCommerce Sites

A notable instance of this attack was documented by security experts at Sucuri. They discovered that several Magento-based eCommerce websites had been compromised through GTM. The attackers injected malicious JavaScript into the GTM containers, which then loaded during the checkout process to skim credit card information. This data was subsequently sent to external servers controlled by the attackers. The malicious scripts were cleverly concealed within the GTM setup, making detection challenging for standard security scans.

Persistence Through PHP Backdoors

To maintain long-term access to the compromised sites, attackers employed PHP backdoors. These backdoors are hidden scripts that allow unauthorized access and control over the website’s server. In the cases observed, the backdoor was located in the ./media/index.php file of the Magento installation. This file served as a gateway for the attackers to reinstate the malicious GTM scripts even after initial removal attempts, ensuring continued data theft.

Detection and Mitigation Strategies

Identifying such sophisticated breaches requires a combination of automated tools and manual inspection. Regularly auditing GTM configurations for unauthorized or suspicious tags is crucial. Additionally, conducting comprehensive website scans can help detect anomalies in the codebase or unexpected changes in files. Implementing file integrity monitoring can alert administrators to unauthorized modifications, and ensuring that all platform components and extensions are up-to-date with the latest security patches can prevent known vulnerabilities from being exploited.

Recommendations for Website Administrators

To safeguard against these types of attacks, website administrators should consider the following measures:

• Regular GTM Audits: Frequently review and verify all tags and scripts within GTM to ensure they are legitimate and authorized.

• Comprehensive Security Scans: Utilize security tools to perform in-depth scans of the website’s files and databases to identify and remove malicious code or backdoors.

• File Integrity Monitoring: Implement systems that monitor and alert on changes to critical files, aiding in the early detection of unauthorized modifications.

• Timely Updates and Patches: Keep the eCommerce platform, plugins, and extensions current with the latest security updates to mitigate vulnerabilities.

• Traffic Monitoring: Regularly analyze website traffic for unusual patterns that may indicate malicious activity, such as unexpected data transmissions to external servers.

By adopting these proactive security practices, website administrators can enhance their defenses against sophisticated attacks that exploit tools like Google Tag Manager.

Source: Google Tag Manager Skimmer Steals Credit Card Info From Magento Site