Magecart Attackers Abuse Google Ad Tool to Steal Data

Attackers are exploiting Google Tag Manager by planting malicious code within e-commerce sites built on the Magento platform. The code can steal payment card data, demonstrating a new type of Magecart attack that leverages Google’s free, legitimate website marketing tool.

Researchers from Sucuri discovered an ongoing Magecart campaign in which attackers load code that appears to be a standard Google Tag Manager (GTM) and Google Analytics tracking script from a database onto e-commerce sites. These tracking scripts are typically used for website analytics and advertising purposes; however, the code used in the campaign has been tweaked to act as a card skimmer for the infected site, the researchers revealed in a recent blog post.

“Within the GTM tag, there was an encoded JavaScript payload that acted as a credit card skimmer,” Sucuri security analyst Puja Srivastava wrote in the post. “This script was designed to collect sensitive data entered by users during the checkout process and send it to a remote server controlled by the attackers.”

So far, Sucuri has uncovered at least six sites affected by the campaign, “indicating that this threat is actively affecting multiple sites,” Srivastava wrote.

Exploiting a Legitimate Google Tool for Card Skimming

Related:Canadian Man Charged in $65M Cryptocurrency Hacking Schemes

The attack demonstrates a nontypical Magecart attack that leverages a legitimate free tool from Google that allows website owners to manage and deploy marketing tags on their website without needing to modify the site’s code directly. GTM eliminates the need for developer intervention each time a marketer aims to track or modify an ad or marketing campaign.

Sucuri researchers were alerted to the Magecart activity by a customer who found that someone was stealing credit card payment data from its e-commerce site. An investigation led to the discovery of malware being loaded from a database table cms_block.content file for the website. The malware abused a GTM tag, which was altered by embedding an encoded JavaScript payload that acted as a credit card skimmer.

Attackers obfuscated the script using the technique function _0x5cdc, which maps index values to specific characters in the array. This makes it difficult for someone to immediately understand the purpose of the script, Srivastava wrote.

The script also uses a series of mathematical operations in a loop, further scrambling the code, and also uses Base64 encoding. “This is a trick often used by attackers to disguise the true purpose of the script,” she wrote.

The researchers also discovered an undeployed backdoor in one of the website’s files that “could have been exploited to further infect the site, providing attackers with persistent access,” Srivastava added. Indeed, Magecart attackers last year demonstrated a new tactic of stashing backdoors on websites to deploy malware automatically.

Related:Behavioral Analytics in Cybersecurity: Who Benefits Most?

Sucuri also previously investigated malicious activity that abused GTM to hide other types of malicious activity, including malvertising as well as malicious pop-ups and redirects.

Mitigation & Remediation of Magecart Attacks

“Magecart” refers to a loose collective of cybercriminal groups involved in online payment card-skimming attacks. These attacks typically inject card skimmers into websites to steal payment card data that can later be monetized. Big-name organizations that have been targeted by these attacks include Ticketmaster, British Airways, and the Green Bay Packers NFL team.

Once they identified the source of infection on their customer’s site, Sucuri researchers removed the malicious code from any other compromised areas of the site, as well as cleaned up the obfuscated script and the backdoor to prevent the malware from being reintroduced.

To ensure an organization’s e-commerce site has not been affected by the campaign, administrators should log in to GTM, and then identify and delete any suspicious tags that are being used on the site, Sucuri recommended. They also should perform a full website scan to detect any other malware or backdoors, and remove any malicious scripts or backdoor files.

Related:Cybercrime Forces Local Law Enforcement to Shift Focus

E-commerce sites built on Magento and their extensions also should be updated with the latest security patches, while all site administrators should regularly monitor e-commerce site traffic as well as GTM activity for anything unusual.