Hackers Use Google Tag Manager to Steal Card Data

Hackers are actively exploiting a vulnerability in Magento-based eCommerce websites, injecting an obfuscated script to steal credit card details. By using Google Tag Manager (GTM), attackers can discreetly load malware, allowing them to intercept payment information during the checkout process.

Security researchers at Sucuri discovered that the malware is being loaded from a database table called cms_block.content. The malicious script is carefully designed to blend in with legitimate GTM scripts, making it difficult to detect. This tactic allows hackers to bypass standard security measures while keeping their operations hidden.

Once activated, the malware records credit card details entered on the checkout page and transmits them to an external server controlled by cybercriminals. Additionally, the attackers have installed a hidden PHP backdoor, ensuring that the malicious code remains on the site even if detected and removed.

Sucuri’s team also found a backdoor PHP file, which is particularly dangerous because PHP is a core component of many content management systems, including Magento, WordPress, Drupal, and Joomla. When injected, these malicious PHP files can operate within the website’s infrastructure, granting attackers long-term access to sensitive data.

Website owners using Magento and similar platforms are urged to review their Google Tag Manager scripts, scan for suspicious PHP files, and apply security patches to prevent such attacks.

Security researchers have identified a new malware campaign targeting Magento-based eCommerce websites, allowing hackers to steal customers’ credit card information. The attack is carried out using Google Tag Manager (GTM), a commonly used tool for managing website scripts. By injecting an obfuscated script into compromised sites, cybercriminals can discreetly capture payment details at checkout.

One of the key components of this attack is a hidden PHP backdoor file, ./media/index.php, which helps hackers maintain control over the compromised website and reinsert malicious code even after initial removal. The security firm Sucuri has been monitoring this campaign and has identified at least six websites currently infected with this specific GTM ID. This indicates that the threat is actively spreading across multiple online stores, potentially affecting thousands of customers.

The malware is being distributed through a domain called eurowebmonitortool[.]com, which has already been flagged and blocklisted by 15 security vendors on VirusTotal. VirusTotal is a widely used security service that scans files for malware and aggregates cybersecurity intelligence from multiple sources to detect potential threats.

Given the severity of the attack, Sucuri has recommended several crucial steps for website owners to secure their sites and remove the infection:

Inspect Google Tag Manager Tags – Website administrators should log into their GTM accounts and carefully review all scripts. Any suspicious tags should be removed immediately to prevent further exploitation.
Conduct a Comprehensive Website Scan – A full security scan should be performed to detect hidden malware, unauthorised scripts, or backdoor files that may have been injected into the site.
Remove Malicious Code and Backdoor Files – Any detected malware or suspicious PHP files should be deleted to prevent attackers from regaining access.
Keep Magento and All Extensions Up to Date – Since outdated software is a common entry point for hackers, website owners must ensure that their Magento platform and all installed extensions are updated with the latest security patches.
Monitor Website Traffic and GTM Activity – Continuous monitoring of website traffic and GTM changes can help detect anomalies early and prevent further security breaches.

Magento-based websites have long been a prime target for cybercriminals due to their popularity among online retailers. Attacks like these highlight the need for robust security measures, including regular audits, strong firewalls, and active monitoring of website activity.

As hackers continue to find new ways to exploit vulnerabilities, online businesses must remain vigilant. Taking proactive steps to secure their websites can help prevent financial losses and protect customer data from falling into the wrong hands.