Security researchers have discovered threat actors exploiting Google Tag Manager (GTM) to deploy credit card skimming malware on Magento-based e-commerce platforms. Website security firm Sucuri identified malicious code masquerading as legitimate GTM and Google Analytics scripts, which contained an obfuscated backdoor providing persistent attacker access.

The campaign, identified by GTM identifier GTM-MLHK2N68, has affected three websites, down from six initially reported. The malware operates by loading from the Magento database table “cms_block.content,” with the GTM tag containing encoded JavaScript that functions as a credit card skimmer.

According to security researcher Puja Srivastava, the malicious script targets sensitive data during checkout processes, transmitting captured information to attacker-controlled servers. The primary objective is to steal credit card details from e-commerce checkout pages.

This isn’t the first instance of GTM abuse, with previous cases documented in April 2018 when it was exploited for malvertising campaigns. The discovery follows recent reports of WordPress attacks using plugin vulnerabilities and compromised admin accounts to redirect users to malicious URLs.