Hackers are exploiting a vulnerability in Magento-based eCommerce websites to inject an obfuscated script via Google Tag Manager, enabling them to steal credit card information during checkout. This malware utilizes a hidden PHP backdoor to maintain its presence on the site and extract user data. Security researchers at Sucuri identified the malware, which is loaded from the database table cms_block.content, and noted that the Google Tag Manager script appears normal to evade detection.
Once activated, the malware captures credit card details from the Magento checkout page and transmits them to a hacker-controlled external server. Sucuri also found a backdoor PHP file located at ./media/index.php, which can operate within various content management systems like Magento, WordPress, Drupal, and Joomla.
At least six websites have been infected with this specific Google Tag Manager ID, and the domain eurowebmonitortool[.]com is associated with this malicious activity, currently blocklisted by 15 security vendors on VirusTotal.
To mitigate the threat, Sucuri recommends the following steps for cleaning infected websites:
- Remove any suspicious GTM tags.
- Conduct a full website scan to identify other malware or backdoors.
- Eliminate any malicious scripts or backdoor files.
- Ensure Magento and all extensions are updated with the latest security patches.
- Regularly monitor site traffic and GTM for unusual activity.
