Skip to content

New malware uses GTM to skim credit cards from Magento stores

  • by
  • 2 min read

A new wave of cyberattacks targets Magento-based eCommerce websites, using Google Tag Manager (GTM) to inject malicious code and steal customer credit card data. Attackers are leveraging GTM’s flexibility to embed obfuscated JavaScript payloads that silently exfiltrate sensitive payment details to remote servers, allowing malicious scripts to bypass traditional security measures posing a dangerous threat to online retailers and their customers.

The breach was detected when a Magento website owner noticed unauthorised transactions linked to their store’s checkout process. Upon investigation, researchers identified that the attackers had embedded a malicious script within a GTM tag, turning a legitimate analytics and marketing tool into a data-harvesting mechanism.

During the forensic analysis, researchers found that the malicious code was stored in the website’s ‘cms_block.content’ table. Though it initially appeared to be a standard GTM script, further inspection revealed encoded JavaScript that exfiltrated sensitive payment details to an attacker-controlled server.

This is an image of magento attack gtm sucuri ss1
Malicious GTM content. | Source: Sucuri

The malware used sophisticated obfuscation, including:

  • A function (_0x5cdc) mapping index values to characters to disguise its true intent.
  • Encoded Base64 strings to make detection harder.
  • The use of ‘eval()’ to execute the malicious payload dynamically.
  • Injection of a modified Google Analytics script to avoid suspicion while performing malicious actors.

Upon execution, the skimmer would silently collect credit card details and transmit them to an external domain, ‘eurowebmonitortool[.]com,’ already blocklisted by multiple security vendors.

Researchers also detail that this attack technique has been previously seen in Magecart-style breaches, where threat actors hijack online payment pages to steal financial data. Notably, a known group, ATMZOW, had used a similar GTM-based strategy earlier, indicating that such threats are evolving rather than diminishing.

Investigators also discovered a backdoor hidden in ‘./media/index.php,’ granting attackers persistent access to the compromised website. This backdoor could have been used to reinfect the site, making it crucial to eliminate all traces of the malware.

Experts urge users to remove any suspicious GTM tags and malicious scripts or backdoor files, perform a full website scan, ensure that all extensions are up to date, and regularly monitor site traffic and GTM for any unusual activity.

In the News: Hugging Face AI models compromised by new ‘nullifAI’ attack

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of cyber security hacked breach

Case study reveals Chinese hackers spent over 300 days in US electricity grid

This is an image of iphone with apple logo

Match Group, AIDF denied Apple’s confidential antitrust data

Photo: ascannio / shutterstock. Com

X’s outage can’t be traced by researchers and Musk alike

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

>