Magecart Attackers Use Google Tag Manager to Steal Payment Data

Introduction

Cybercriminals never stop innovating, and the latest Magecart attack is one such example of their ingenuity. Hackers have discovered how to exploit Google Tag Manager (GTM)—a widely used website analytics and ad management tool—to inject malicious code into Magento-based e-commerce sites. It allows them to steal sensitive payment information directly from checkout pages. With increasing digital payment fraud, the organizations must be more vigilant and use darknet monitoring services, brand protection strategies, tracking of compromised data, etc., to reduce risks as much as possible.

How Magecart Attackers Use Google Tag Manager for Data Theft

Sucuri security researchers recently discovered an ongoing Magecart campaign where attackers injected JavaScript-based credit card skimmers into GTM tags. These tags, which are otherwise used to track website traffic and marketing campaigns, were hijacked to secretly siphon users' financial details.

According to Puja Srivastava, a security analyst at Sucuri, "There was an encoded JavaScript payload inside the GTM tag, which acted as a credit card skimmer. The script was supposed to collect all sensitive data inputted by users at checkout time and send it over to a remote server that attackers controlled."

So far, six Magento-based e-commerce sites have already been attacked, but more are believed to be in the crosshairs.

Exploiting a Legitimate Tool for Ill-Gotten Riches

Google Tag Manager is a free resource by which the owners of the website can deploy marketing tags as well as analytic tracking without interfering with the root code of a site. Now, while that is convenient enough, it is now being seen as a two-edged sword, because criminals use GTM to inject sly skimming scripts into websites.

How the Hack Works:

One of the most disturbing finds was an unused backdoor that existed within a website's files, suggesting that possibly more attacks may have been in the offing.

Also read: GTM Abuse Almost like Malvertising, Phishing Pop-ups, and Unsanctioned Site Redirects

Magecart Attacks

British Airways Breach (2018)

Magecart hackers compromised the airline’s payment page, stealing details of over 380,000 transactions. The attackers used an obfuscated JavaScript skimmer that sent data to a lookalike domain.

Ticketmaster Attack (2018)

The attack targeted a third-party chat widget integrated into Ticketmaster’s website. By compromising the vendor, attackers gained access to multiple websites, impacting thousands of users.

Newegg Hack (2018)

Magecart attackers injected skimming code into Newegg’s checkout page, harvesting credit card details for over a month before detection.

How Companies Can Protect Themselves from Magecart Attacks

Given the nature of this attack, companies need to be extra careful and prudent in advance with the potential of unauthorized access and data theft. Here is what to do

Continuous monitoring, including regular security audits and real-time detection of suspicious activities, is crucial for early threat identification. Lastly, reducing third-party dependencies minimizes attack vectors, making it harder for attackers to exploit vulnerabilities in external scripts.

What Can Consumers Do to Protect Themselves?

While businesses are responsible for securing their platforms, consumers can also take proactive measures to protect themselves from Magecart attacks. Using virtual credit cards or temporary card numbers offered by banks can minimize exposure in case of a breach. Regularly monitoring bank statements helps detect unauthorized transactions early, allowing for prompt action. Enabling two-factor authentication (2FA) on banking and payment accounts adds an extra layer of security, making it harder for attackers to gain access.

When making online purchases, avoid using public Wi-Fi, as unsecured networks can expose sensitive information to cybercriminals. Installing security-focused browser extensions can help detect and block malicious scripts that may attempt to steal payment details.

Additionally, always shop from trusted websites and avoid entering payment information on unfamiliar or unverified platforms. Lastly, keeping browsers, operating systems, and security software updated ensures protection against known vulnerabilities that attackers might exploit.

Conclusion

Businesses need to stay one step ahead of the curve as cyber criminals are increasingly using new vulnerabilities. The abuse of Google Tag Manager for Magecart attacks reminds us that legitimate tools can easily be weaponized for malicious purposes. Organizations can strengthen their defenses against digital fraud by implementing stolen credentials detection, darknet monitoring services, and compromised data tracking.

Brand protection and online risk evaluation are no longer a choice but are a must in the evolving cybersecurity landscape. Stay proactive, secure your digital assets, and keep your customers' data safe from prying hands.

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.