Full Report
Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites. Website security company Sucuri said the code, while appearing to be a typical GTM and Google Analytics script used for website analytics and advertising purposes, contains an obfuscated backdoor capable of providing attackers with persistent
Analysis Summary
# Tool/Technique: Google Tag Manager (GTM) Exploitation for Payment Skimming
## Overview
Threat actors are exploiting Google Tag Manager (GTM) configurations on Magento e-commerce websites to deploy credit card skimmer malware. The deployed code deceptively appears as legitimate GTM/Google Analytics tracking scripts but contains an obfuscated JavaScript payload designed to steal sensitive credit card information entered by users during checkout.
## Technical Details
- Type: Technique (Abuse of legitimate service/configuration)
- Platform: Magento e-commerce platforms, leveraging client-side JavaScript execution.
- Capabilities: Data exfiltration (credit card theft), persistent backdoor access (via database injection), code obfuscation.
- First Seen: The context mentions a prior GTM abuse incident in April 2018, but this specific credit card skimming exploitation is reported recently (as of February 2025).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (The compromised site acts as a compromised system delivering malware to the visitor)
- **TA0006 - Credential Access**
- T1550 - Use Alternate Authentication Material (If session tokens are harvested alongside card data)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Data sent to attacker-controlled server)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (The malicious script is obfuscated)
## Functionality
### Core Capabilities
- **Data Collection:** The encoded JavaScript payload executes during the checkout process to capture user-entered credit card details.
- **Exfiltration:** Collected data is transmitted to a remote server controlled by the attackers.
### Advanced Features
- **Persistence/Injection:** The malicious code appears to be loaded from the Magento database table `cms_block.content`, suggesting an injection vulnerability has been leveraged to plant the malicious GTM configuration trigger.
- **Evasion:** The malicious code is obfuscated to resemble standard GTM/Analytics scripts, aiding in bypassing basic inspection.
- **Backdoor:** The script includes a mechanism capable of providing attackers with persistent access.
## Indicators of Compromise
- **File Hashes:** Not explicitly provided in the context.
- **File Names:** Not explicitly provided in the context, as the payload is deployed via GTM configuration.
- **Registry Keys:** Not applicable (Client-side web compromise).
- **Network Indicators:** Data is sent to a remote server controlled by attackers (Specific IP/Domain defanged: *[C2 information not provided in source]*).
- **Behavioral Indicators:**
- Presence of the specific GTM container ID: `GTM-MLHK2N68`.
- Malicious JavaScript payload loaded via GTM tagged for payment processing monitoring.
- Modifications or artifacts found within the Magento database table: `cms_block.content`.
## Associated Threat Actors
- Not explicitly named; described generally as "Threat actors." The technique is part of wider e-commerce compromise trends.
## Detection Methods
- **Signature-based detection:** Detection of the specific GTM container ID (`GTM-MLHK2N68`) in web configurations or network traffic headers.
- **Behavioral detection:** Monitoring client-side JavaScript for unusual data collection patterns targeting form fields related to payment information (e.g., keylogging on input fields during checkout).
- **YARA rules:** Not applicable to configuration/JavaScript payload, though YARA could be used if the payload were saved as a file on the server.
## Mitigation Strategies
- **Prevention Measures:**
- Implement strong Content Security Policy (CSP) headers to restrict script sources.
- Regularly audit Google Tag Manager containers for unauthorized changes or newly added, suspicious tags.
- Ensure the Magento platform and all extensions are up to date to patch underlying vulnerabilities that may allow database injection.
- Use Web Application Firewalls (WAFs) configured to detect skimming activity attempts.
- **Hardening Recommendations:**
- Limit the scope and permissions of any service account or user that can modify the backend database or GTM configuration.
- Implement Subresource Integrity (SRI) checks, though this is more complex for dynamic tags like GTM.
## Related Tools/Techniques
- **Prior GTM Abuse:** Mentioned historical GTM abuse for malvertising campaigns (April 2018).
- **Other Magento Compromise Vectors:** Mentioned recent WordPress campaigns involving vulnerable plugins or compromised admin accounts leading to traffic redirection.
- **Magecart/Web Skimmers:** This technique fits within the broader category of digital skimming attacks targeting payment card data.