Hackers Exploit Google Tag Manager to Steal Credit Card Data from Magento Sites

In a recent incident, a Magento-based eCommerce website fell victim to a sophisticated credit card skimming attack, with the culprit being a malicious script injected into the Google Tag Manager (GTM), according to a report by Puja Srivastava, a Security Analyst at Sucuri.

Google Tag Manager is a tool that allows website owners to manage and deploy marketing tags without altering the website’s code directly. Attackers exploited this tool by injecting a malicious script that skimmed credit card information from the checkout pages.

The malicious code was found in the database table cms_block.content and was disguised as a standard Google Tag Manager and Google Analytics tracking script. The script, however, contained an encoded JavaScript payload designed to collect sensitive data entered by users during the checkout process.

“At first glance, this code appears to be a standard Google Tag Manager (GTM) and Google Analytics tracking script, which is often used for website analytics and advertising purposes,” the report states. “However, closer examination revealed that this code was not used for legitimate tracking but was instead malicious in nature.“

The attackers employed obfuscation techniques to make the script difficult to understand. The script also used a series of mathematical operations and Base64 encoding to further scramble the code and disguise its true purpose.

The stolen credit card information was sent to a remote server controlled by the attackers. The report also identified a backdoor in the website’s code, which could have been used to further infect the site and maintain persistent access.

Sucuri’s investigation revealed that at least six websites were infected with this particular Google Tag Manager ID, indicating an active threat affecting multiple sites. The domain eurowebmonitortool[.]com, used in this malicious campaign, has been blocklisted by 15 security vendors at VirusTotal.

After identifying the malware’s source, Sucuri took immediate action to remove the malicious GTM tag, clean up the obfuscated script, and eliminate the backdoor.

To prevent further infections, eCommerce site owners are advised to:

1. Review Google Tag Manager – Regularly audit GTM containers for suspicious tags.
2. Perform a full malware scan – Scan Magento installations for hidden threats.
3. Remove any unknown scripts or backdoors – Check for unfamiliar code within website files and databases.
4. Keep Magento and all extensions up-to-date – Apply security patches promptly.
5. Monitor site traffic and GTM activity – Watch for unusual behavior or unauthorized modifications.

Related Posts:

• Magento Custom Development: Tailoring E-Commerce Solutions to Perfection
• Cyberattack on Magento: Hackers Inject Skimmer, Card Data Stolen
• Adobe Issues Critical Security Updates for Commerce and Magento Platforms
• Credit Card Skimmer Malware Uncovered: Targeting Magento Checkout Pages