Menace actors have been noticed leveraging Google Tag Supervisor (GTM) to ship bank card skimmer malware focusing on Magento-based e-commerce web sites.
Web site safety firm Sucuri stated the code, whereas showing to be a typical GTM and Google Analytics script used for web site analytics and promoting functions, incorporates an obfuscated backdoor able to offering attackers with persistent entry.
As of writing, as many as three websites have been discovered to be contaminated with the GTM identifier (GTM-MLHK2N68) in query, down from six reported by Sucuri. GTM identifier refers to a container that features the assorted monitoring codes (e.g., Google Analytics, Fb Pixel) and guidelines to be triggered when sure situations are met.
Additional evaluation has revealed that the malware is being loaded from the Magento database desk “cms_block.content material,” with the GTM tag containing an encoded JavaScript payload that acts as a bank card skimmer.
“This script was designed to gather delicate knowledge entered by customers in the course of the checkout course of and ship it to a distant server managed by the attackers,” safety researcher Puja Srivastava stated.
Upon execution, the malware is designed to pilfer bank card info from the checkout pages and ship it to an exterior server.
This isn’t the primary time GTM has been abused for malicious functions. In April 2018, Sucuri revealed that the software was being leveraged for malvertising functions.
The event comes weeks after the corporate detailed one other WordPress marketing campaign that possible employed vulnerabilities in plugins or compromised admin accounts to put in malware that redirected website guests to malicious URLs.
