It is common for cybersecurity criminals to exploit vulnerabilities in Magento to inject an obfuscated script, which has been delivered through Google Tag Manager (GTM), into Magento-based eCommerce platforms, which allows them to intercept and steal credit card information during the checkout process.
Using a hidden PHP backdoor, unauthorized access can be enabled, and continuous data exfiltration can continue, allowing persistence to be maintained.
A security researcher at Sucuri discovered that the credit card skimming malware was embedded in a database table called cms_block.content, which enables unauthorized access and continuous data exfiltration.
Because the malware is designed to avoid detection, it appears legitimate, and as a result, security measures may have a difficult time identifying and containing the threat. As a result, experts advise website administrators to implement enhanced security protocols so that such threats can be identified and eliminated efficiently.
An investigation conducted by Sucuri recently revealed the presence of sophisticated credit card skimming operations that targeted a Magento-based eCommerce platform. To carry out the attack successfully, Google Tag Manager (GTM) is being used to inject malicious JavaScript into the checkout process to facilitate the collection of payment information without the user's knowledge.
Throughout the cms_block, the malware was embedded to accomplish its purpose.
A database table containing content data, which allowed cybercriminals to intercept transactions discreetly, was analyzed further by Sucuri, which revealed that a hidden backdoor was hidden within the media directories, making it possible for the attacker to access the compromised system indefinitely.
It is well known that there is a great deal of threats to retailers and hospitality organizations, particularly those that operate eCommerce platforms, which are being exploited by third parties to gather information about real-time credit cards and send it to a remote server controlled by criminals.
Organizations in the retail and hospitality industries, particularly those utilizing eCommerce platforms, are at a much greater risk of being attacked with similar GTM-based attacks. This is because the use of stealthy, legitimate-looking scripts makes it difficult for store owners to detect and mitigate these threats.
It has become clear that WordPress and Magento are now used very widely as platforms for online retail operations, and as such, this attack methodology is very effective, and it could potentially negatively impact a wide range of businesses across the industry as a whole.
If these vulnerabilities are not addressed promptly, significant financial losses may occur, fraud chargebacks may be made, and the cardholder may not be in compliance with the Payment Card Industry Data Security Standard (PCI DSS) regulations, in addition to the potential financial losses.
The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) has released a report containing intelligence that will help organizations enhance their threat detection and response capabilities by integrating the information from this report into their cybersecurity strategies.
In the attack, people see an unconventional Magecart operation utilizing Google Tag Manager (GTM), a legitimate and free tool from Google that allows website owners to easily manage and deploy marketing tags on their websites without having to modify the code directly.
To facilitate this process, GTM eliminates the need for developer intervention whenever marketers wish to track and adjust their advertising or marketing campaigns, as well as to track the effectiveness of their advertisements.
As a result of a customer reporting unauthorized access to their credit card payment data on their eCommerce platform, Sucuri's security researchers discovered Magecart's activity for the first time.
It was discovered by researchers that malware was being loaded from the cms_block after investigations were carried out.
The malware exploited a modified GTM tag that contained a JavaScript payload embedded in it, effectively acting as a credit card skimmer by encoding the payload. The attackers used a method of obfuscating index values by using the function _0x5cdc, which maps specific characters within an array to specific index values in an array to avoid detection.
There is no doubt that this method results in a huge amount of complexity and makes it much more challenging to determine the script's true purpose and prevent such sophisticated attacks from happening in the future. Taking proactive measures in detecting and mitigating threats is an important aspect of ensuring our systems' security, say cybersecurity experts.
An investigation by Sucuri found that the attackers used an obfuscated backdoor disguised as a Google Tag Manager (GTM) and Google Analytics script to gain unauthorised access to the data being collected for web analytics and advertising purposes.
It has been reported that Puja Srivastava, a Sucuri researcher, found a script that could be executed from a Magento database table, allowing credit card information to be exfiltrated when executed from that database table. Scripts are used to gather information from users during the checkout process, and they are then sent to remote servers controlled by attackers, as they were designed to gather sensitive information from users.
Earlier this month, Sucuri reported a series of security concerns related to WordPress plugins, which were exploited in a campaign targeting victims to redirect them to malicious websites, which were in turn used to compromise administrator accounts.
Additionally, almost seven years ago, Google Tag Manager was identified as one of the tools used in the development of a malvertising campaign. However, in another case, According to the Department of Justice, Andrei Fagaras and Tamas Kolozsvari have been indicted for their alleged involvement in a payment card skimming operation. During these incidents, it was highlighted that the threat of cyber-attacks targeted at eCommerce platforms has not been contained and that enhanced security measures are needed to protect sensitive financial information.
A group known as Magecart refers to a decentralized organization of cybercriminal organizations that conduct online payment card skimming attacks. These attacks typically involve injecting malicious code into websites to steal payment card information from customers, which is then monetized as needed.
Such attacks have caused major damage to several organizations, including Ticketmaster, British Airways, and even the Green Bay Packers football team. After identifying the source of the infection on the client's website, the Sucuri team took immediate action to get rid of the malicious code immediately, eliminating any malicious code found in all compromised areas of the client's website.
Aside from removing the malware from the system, they also removed obfuscated scripts and backdoors to prevent the malware from being reintroduced. Sucuri recommends that eCommerce platforms protect themselves against similar threats by logging into Google Tag Manager (GTM) and carefully reviewing all active tags, deleting any that appear suspicious from their list.
Moreover, organizations need to conduct a comprehensive website security scan to detect and remove any remaining malicious code, backdoor files, as well as other files that could compromise their website, ensuring the integrity of the digital infrastructure of their organization.
