Menace actors have been noticed leveraging Google Tag Supervisor (GTM) to ship bank card skimmer malware focusing on Magento-based e-commerce web sites.
Web site safety firm Sucuri said the code, whereas showing to be a typical GTM and Google Analytics script used for web site analytics and promoting functions, comprises an obfuscated backdoor able to offering attackers with persistent entry.
As of writing, as many as three sites have been discovered to be contaminated with the GTM identifier (GTM-MLHK2N68) in query, down from six reported by Sucuri. GTM identifier refers to a container that features the assorted monitoring codes (e.g., Google Analytics, Fb Pixel) and guidelines to be triggered when sure circumstances are met.
Additional evaluation has revealed that the malware is being loaded from the Magento database desk “cms_block.content material,” with the GTM tag containing an encoded JavaScript payload that acts as a bank card skimmer.
“This script was designed to gather delicate knowledge entered by customers through the checkout course of and ship it to a distant server managed by the attackers,” safety researcher Puja Srivastava stated.
Upon execution, the malware is designed to pilfer bank card data from the checkout pages and ship it to an exterior server.
This isn’t the primary time GTM has been abused for malicious functions. In April 2018, Sucuri revealed that the instrument was being leveraged for malvertising functions.
The event comes weeks after the corporate detailed one other WordPress marketing campaign that seemingly employed vulnerabilities in plugins or compromised admin accounts to put in malware that redirected web site guests to malicious URLs.
Source link