FlagThis - #EcommerceSecurity

Hackers are exploiting Google Tag Manager (GTM) to deploy credit card skimmers on Magento-based e-commerce websites. According to reports from The Hacker News, Sucuri, and CISO2CISO, malicious actors are leveraging GTM to deliver malware that targets sensitive payment data. The attack involves injecting code that appears to be a standard GTM or Google Analytics script but contains an obfuscated backdoor. This allows the attackers to gain persistent access to the websites.

Sucuri's investigation into a customer's Magento site revealed that credit card details were being stolen via a skimmer loaded from the cms_block.content database table. The GTM tag contained encoded JavaScript designed to collect and transmit sensitive user data entered during the checkout process to a remote server controlled by the attackers. This highlights the importance of securing third-party integrations and regularly monitoring website files for any suspicious code.


References :

• Sucuri Blog: Sucuri warns of credit card data theft from website.
• ciso2ciso.com: Hackers Exploit Google Tag Manager
• The Hacker News: The Hacker News reports on hackers exploiting Google Tag Manager to deploy credit card skimmers.
• : Sucuri : Title is straightforward: Sucuri warns of credit card data theft from a customer's Magento-based eCommerce website. The credit card skimmer malware is delivered by leveraging Google Tag Manager (GTM). GTM is a free tool from Google that allows website owners to manage and deploy marketing tags on their website without needing to modify the site’s code directly.
• ciso2ciso.com: Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores – Source:thehackernews.com
• securityaffairs.com: Sucuri researchers observed threat actors leveraging Google Tag Manager (GTM) to install e-skimmer software on Magento-based e-stores.
• Security Intelligence: Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites.
• www.scworld.com: Magento stores compromised with Google Tag Manager skimmer
• gbhackers.com: Information on hackers exploiting Google Tag Manager to steal credit card data from e-commerce sites.
• securityonline.info: SecurityOnline article on hackers exploiting Google Tag Manager.
• gbhackers.com: Hackers Exploiting Google Tag Managers to Steal Credit Card from eCommerce Sites
• securityonline.info: Hackers Exploit Google Tag Manager to Steal Credit Card Data from Magento Sites
• Sucuri Blog: Recently, we had a client come to us concerned that their website was infected with credit card stealing malware, often referred to as MageCart. Their website was running on Magento, a popular eCommerce content management system that skilled attackers often target to steal as many credit card numbers as possible.
• Search Engine Journal: Hackers Use Google Tag Manager to Steal Credit Card Numbers
• www.searchenginejournal.com: Hackers Use Google Tag Manager to Steal Credit Card Numbers

Classification:

• HashTags: #GTM #CreditCardskimmer #EcommerceSecurity
• Company: Google
• Target: Magento e-commerce websites
• Product: Google Tag Manager
• Feature: Google Tag Manager
• Malware: Credit card skimmer
• Type: Malware
• Severity: Major

A web skimming campaign has targeted multiple websites, including Casio UK, in a sophisticated double-entry attack. Security firm Jscrambler discovered that at least 17 websites were compromised, with the attack on Casio UK lasting from January 14th to January 24th. The threat actor installed a web skimmer on all pages except the checkout page. This skimmer altered the usual payment flow, manipulating the user into entering sensitive information such as name, address, email, phone number, and credit card details into a fake payment form.

The double-entry technique involved an unobfuscated loader that fetched a second-stage skimmer from an attacker-controlled server. This skimmer encrypted and exfiltrated sensitive customer information, including contact information, credit card details, and billing addresses, concealing malicious activity through XOR-based string masking and custom encoding. After completing the fake form, victims were redirected to the legitimate checkout page, where they were asked to fill out the same details again. Jscrambler noted that Casio UK's website had a content security policy set to report-only, which logged events but failed to prevent the attack.


References :

• securityaffairs.com: Web Skimmer found on at least 17 websites, including Casio UK
• www.scworld.com: Web skimming campaign hits several websites
• ciso2ciso.com: Casio Website Infected With Skimmer  – Source: www.securityweek.com
• ciso2ciso.com: CISO to CISO reports on the web skimming attack against Casio and 16 other websites.
• Pyrzout :vm:: Casio and 16 Other Websites Hit by Double-Entry Web Skimming Attack – Source:hackread.com
• ciso2ciso.com: The attackers' goal was to harvest and exfiltrate visitor information.
• Secure Bulletin: On February 3, 2025, the Casio UK online store fell victim to a significant cyberattack, leading to the unauthorized access and theft of customer credit card information.
• BleepingComputer: Casio UK's e-shop at casio.co.uk was hacked to include malicious scripts that stole credit card and customer information between January 14 and 24, 2025.
• www.bleepingcomputer.com: Bleeping Computer article on the Casio UK online store being hacked to steal customer credit cards.
• securebulletin.com: Malicious scripts on the CASIO e-shop stole credit card and personal customer details

Classification:

• HashTags: #WebSkimming #CasioHack #EcommerceSecurity
• Target: Multiple e-commerce websites and their customers
• Product: e-commerce platforms
• Feature: Payment processing
• Malware: Web skimmer
• Type: DataBreach
• Severity: Medium