Google system abused by hackers to hijack ecommerce stores

News
By
published

A malicious script was found embedded within Google Tag Manager

A person holding a credit card in one hand while typing on a laptop keyboard with the other.
(Image credit: Shutterstock / Kostenko Maxim)
  • Sucuri finds credit card skimmer in Magento-powered ecommerce site
  • The skimmer was hiding within Google Tag Manager
  • At least six websites were compromised, experts warned

Cybercriminals were exploiting the Google Tag Manager (GTM) to hide malware in Magento-powered ecommerce sites and steal payment information from customers, experts have claimed.

Researchers at Sucuri claim to have recently observed one such attack in the wild, explaining that a customer reached out for help after experiencing credit card data theft from their Magento-based ecommerce website.

The analysts traced the attack back to a malicious script embedded within Google Tag Manager, which appeared to be a legitimate tracking tool but was actually designed to skim sensitive data. Google Tag Manager is a free tool from Google that allows website owners and marketers to easily manage and deploy tracking codes (tags) on their website without directly modifying the site's code.

Abused in the wild

The attackers obfuscated the script, making it difficult to detect, and used it to capture payment details from the checkout page before sending them to a remote server.

Sucuri also found a backdoor that granted the attackers persistent access. At least six websites were found to be infected with the same GTM ID, and one of the domains used in the attack, eurowebmonitortool [dot] com, has now been blacklisted by most security companies.

Using the Google Tag Manager to deliver malware isn’t a novelty. The researchers said they covered the technique last year, adding that the new infection indicates the tactic “still being widely used” in the wild. Magento, due to its popularity among ecommerce site owners, is a huge target for cybercriminals. Payment information is also quite valuable for cybercriminals, since they can use it to purchase malicious goods, pay for malvertising campaigns, and more.

To remediate the attack, website admins should remove any suspicious GTM tags, perform a full website scan, make sure both Magento and other extensions are updated, and regularly monitor site traffic and GTM for any unusual activity, Sucuri suggests.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Red padlock open on electric circuits network dark red background

Newspaper printing across US hit after Lee Enterprises says “cybersecurity event” disrupted operations
An iPhone with a 10:30am alarm ringing next to an Apple Watch that displays the time as 12:42pm

Apple warns "extremely sophisticated attack" hits iPhones and iPads, so update now
The Apple iPad Air M2 on a pink background with text saying Don't Miss.

The Apple iPad Air M2 is back to its lowest-ever price at Best Buy
See more latest