Hackers are using Google Tag Manager (GTM) to inject malware into Magento-based eCommerce websites, enabling them to steal credit card numbers during customer checkout.

Security researchers at Sucuri discovered that the malware is delivered through a hidden PHP backdoor and an obfuscated script embedded in the cms_block.content database table. The GTM script appears legitimate, making detection difficult. Once active, the malware captures credit card details from checkout pages and transmits them to a hacker-controlled external server.

Sucuri’s investigation revealed that at least six websites were compromised using the same GTM ID. The campaign uses the domain eurowebmonitortool[.]com, which has been blocklisted by 15 security vendors on VirusTotal. The malware operates through a PHP file located at ./media/index.php, which enables persistent access to the affected website’s content management system. Such PHP files are common in platforms like Magento, WordPress, and Drupal, making this type of attack particularly concerning.

To mitigate the threat, Sucuri recommends removing suspicious GTM tags, conducting a comprehensive website scan, deleting malicious scripts and backdoor files, and ensuring that Magento and all extensions are updated with the latest security patches. Ongoing monitoring of site traffic and GTM activity is essential to detect any unusual behavior and prevent further attacks.