Malicious Google Tag Manager Exploit Targets Magento Sites to Steal Credit Card Data

Summary

Sucuri has published a blog highlighting a recent incident involving credit card data theft on a Magento-based eCommerce site. The investigation traced the breach to a malicious script injected into Google Tag Manager, which was used to steal payment information. Sucuri’s security team successfully identified and removed the malware, restoring the site to a secure state. This case underscores the risks associated with third-party scripts and the need for continuous monitoring.

Technical Details

A recent investigation uncovered a security breach on a Magento-based eCommerce site, where sensitive customer data, including credit card information, was being stolen. Such incidents pose serious risks, leading to financial losses, reputational damage, and a decline in customer trust.

Google Tag Manager (GTM) is a widely used tool that enables website owners to manage and deploy tracking scripts without directly modifying website code. It streamlines the integration of analytics and marketing tools like Google Analytics, Google Ads, and Facebook Pixel, allowing for easier tracking and campaign optimization.

The <script> tag used in GTM loads the JavaScript file responsible for managing and executing these tags through a designated GTM container. However, if misused or compromised, GTM can be exploited to inject malicious scripts, leading to data theft. Website owners should regularly monitor and secure their GTM configurations to prevent unauthorized access. During the investigation, Sucuri conducted a thorough analysis of the website’s files to identify any suspicious or unfamiliar code. It wasn’t long before Sucuri discovered that the malware was being loaded from the cms_block.content database table.

At first glance, the code appeared to be a standard Google Tag Manager (GTM) and Google Analytics tracking script, commonly used for website analytics and advertising. However, upon closer inspection, Sucuri determined that the script was not being used for legitimate tracking but was, in fact, malicious.

In 2024, Sucuri published an article highlighting how Magecart veteran ATMZOW was using Google Tag Manager (GTM) to deliver malware. This new infection demonstrates that the tactic remains prevalent among attackers, with SiteCheck flagging the following variants:

• malware.magento_shoplift?71.5

• malware.magento_shoplift.171.51

• malware.magento_shoplift.171.52

During the investigation, Sucuri also discovered a backdoor located in ./media/index.php, which could have been exploited to further compromise the site, offering attackers persistent access. The backdoor code found is as follows:

At the time of writing, Sucuri identified at least six websites infected with this specific GTM ID, indicating that this threat is actively targeting multiple sites. Additionally, the malicious campaign is linked to eurowebmonitortool[.]com, a domain currently blocklisted by 15 security vendors on VirusTotal. Within the Google Tag Manager (GTM) tag, Sucuri discovered an encoded JavaScript payload acting as a credit card skimmer. This script was specifically designed to collect sensitive customer data entered during the checkout process and send it to a remote server controlled by the attackers. Upon execution, the malware would target the checkout pages, steal credit card information, and transmit it to an external server.

The script utilizes several obfuscation techniques, including the function _0x5cdc, which maps index values to specific characters in an array. This makes it challenging for anyone to immediately interpret the purpose of the script. Additionally, the code employs mathematical operations such as parseInt and shift in a loop, further scrambling its functionality The string d2luZG93Lnd3 is Base64 encoded, which decodes to window.www—part of a larger encoded string that ultimately loads the Google Analytics script from www.google-analytics.com.

Attackers commonly use this tactic to mask the script's true intentions. By dynamically creating a <script> tag, the payload injects a modified version of the Google Analytics script (analytics.js). At the end of the script, the eval() function is used to execute the decoded and manipulated payload, which likely performs malicious actions such as exfiltrating sensitive information. The final payload is a hidden credit card skimmer designed to capture and exfiltrate payment details from unsuspecting customers.

Recommendations

To remediate Google Tag Manager-based malware, follow these steps:

● Log into Google Tag Manager, identify any suspicious or unauthorized tags, and delete them immediately.

● Conduct a comprehensive website scan to detect any other potential malware, backdoors, or vulnerabilities that may have been introduced.

● Identify and remove any malicious scripts or backdoor files, including those hidden in locations like cms_block.content or ./media/index.php.

● Verify that Magento and all installed extensions are running the latest versions with the latest security patches to prevent further exploitation.

● Regularly monitor your website’s traffic and GTM configurations for any unusual activity, such as unexpected tag changes or unauthorized access, to catch any signs of ongoing attacks.

Conclusion

This GTM-based attack highlights the increasing sophistication of modern malware, leveraging trusted platforms like Google Tag Manager to deploy harmful code. The use of obfuscation and encoding techniques makes detection particularly difficult, requiring an in-depth investigation to reveal the script’s true malicious intent. To stay protected, always investigate any scripts that appear unusual or unfamiliar. Be cautious of any scripts not directly added by your website’s administrator, as they may signal a potential compromise. If you suspect your website has been infected, perform a comprehensive audit. Remove any suspicious tags or scripts immediately to prevent further data theft and ensure the integrity of your site.