Taking advantage of the Google Tag Manager (GTM) to the danger actors, the credit card skimmer malware has been seen to target Magento-based e-commerce websites.
Website security company Sukuri said that the website as a specific GTM and Google Analytics script is a specificly used, a obedient backdor used for the website analytics and advertising purposes that is capable of providing an attacker with frequent access .
As a writing, several sites as three sites have been found infected with the GTM identifier (GTM-Mlhk2N68), below six reported by Sukuri. The GTM identifier refers to a container that includes various tracking codes (eg, Google Analytics, Facebook Pixel) and the rules are triggered when certain conditions are met.
Further analysis has shown that malware is being loaded from the Magento database table “CMS_block.Content”, in which the GTM tag is an encoded JavaScript payload that serves as a credit card skimmer.
Security researcher Pooja Srivastava said, “This script was designed to collect sensitive data recorded by users during the checkout process and send it to a remote server controlled by the attackers.”
On execution, the malware is designed to pill the credit card information from the checkout pages and send it to the outer server.
This is not the first time GTM has been abused for malicious purposes. In April 2018, Sukuri revealed that the device was being leveraged for maltizing purposes.
Another WordPress campaign by the development company comes after weeks that possibly employ weaknesses in plugins or compromise the administrator accounts to establish malware that redirect visitors to the site visitors in malicious URLs.
