Hackers Exploiting Google Tag Managers to Steal Credit Card from eCommerce Sites

In a concerning development, cybercriminals are leveraging Google Tag Manager (GTM), a legitimate tool widely used by eCommerce websites, to deploy malicious scripts designed to steal credit card information.

This attack vector, often referred to as Magecart or e-skimming, has been observed targeting platforms like Magento, WordPress, and OpenCart, among others.

The abuse of GTM containers allows hackers to bypass traditional security measures by embedding malicious JavaScript within trusted website elements.

How the Attack Works

Google Tag Manager is a tag management system that enables website administrators to manage and deploy marketing tags without altering the site’s code directly.

However, its flexibility and integration with trusted domains like googletagmanager.com make it an attractive target for exploitation.

Threat actors create GTM containers containing custom HTML tags or obfuscated JavaScript payloads that act as credit card skimmers.

These scripts are injected into the checkout pages of compromised eCommerce sites, where they capture sensitive payment details entered by customers and transmit them to remote servers controlled by the attackers.

Recent investigations revealed that some attackers use advanced obfuscation techniques, such as Base64 encoding and dynamic script loading, to conceal their activities.

In some cases, the skimmer code mimics legitimate GTM or Google Analytics scripts, making detection even more challenging for website administrators.

Impact on eCommerce Sites

Sucuri reports indicate that hundreds of eCommerce domains have been compromised globally, with over 165,000 payment card records exposed and sold on dark web marketplaces.

Victim sites often remain unaware of the breach for months due to the stealthy nature of these attacks.

The consequences for affected businesses include financial losses, reputational damage, and loss of customer trust.

For example, a recent case involving a Magento-based eCommerce site uncovered malware embedded in the site’s database through GTM exploitation.

The malicious script exfiltrated credit card data during checkout and sent it to an external server.

Similar incidents have been reported across other platforms like WooCommerce and Shopify.

To combat this growing threat, cybersecurity experts recommend several measures:

• Audit GTM Containers: Regularly review all tags within GTM containers for suspicious or unauthorized scripts.
• Apply Security Patches: Ensure all CMS platforms and plugins are up-to-date with the latest security updates.
• Monitor Website Traffic: Use tools to detect unusual activity or unauthorized data exfiltration.
• Implement Web Application Firewalls (WAFs): Deploy WAFs to block malicious scripts and unauthorized access.
• Educate Administrators: Train website managers to recognize signs of compromise and maintain strong security hygiene.

The abuse of Google Tag Manager highlights the evolving sophistication of cyberattacks targeting eCommerce platforms.

By exploiting trusted tools like GTM, hackers can infiltrate websites undetected and harvest sensitive financial data.

It is imperative for businesses to adopt proactive security measures to safeguard their customers’ information and maintain trust in online transactions.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free