Threat actors have been spotted delivering credit card skimmer malware targeting Magento-based e-commerce websites using Google Tag Manager ( GTM).
Sucuri, a business security company, claims that the code contains an disguised backdoor that allows attackers to gain prolonged access despite appearing to be a common GTM and Google Analytics script for website analytics and advertising purposes.
As of writing, as many as have been found to be infected with the GTM identifier ( GTM-MLHK2N68 ) in question, down from six reported by Sucuri. GTM identifier refers to a box that contains the various scanning codes ( such as Google Analytics and Facebook Pixel ) as well as rules that are set up when certain conditions are met.
Additional research has revealed that the ransomware is being loaded from the” cms_block” stand in Magento. a JavaScript payload that serves as a credit card skimming is encoded into the GTM tag, which reads” content,” and contains a GTM label.
Safety researcher Puja Srivastava said,” This script was intended to collect sensitive information that people enter during the checkout process and give it to a distant server that the attackers control.
The malware is intended to steal credit card data from the check pages and transfer it to an additional server upon murder.
GTM has been abused for destructive purposes before, and this is not the first day. Sucuri made the revelation in April 2018 that the application was being used for illegal reasons.
The growth comes weeks after the company revealed another WordPress strategy that allegedly used vulnerabilities in plugins or hacked admin accounts to place malware that moved site visitors to shady URLs.