Hackers are actively exploiting a vulnerability to inject an obfuscated script into Magento-based eCommerce websites. The malware is loaded via Google Tag Manager, allowing them to steal credit card numbers when customers check out. A hidden PHP backdoor is used to keep the code on the site and steal user data.
The credit card skimmer was discovered by security researchers at Sucuri who advise that the malware was loaded from a database table, cms_block.content. The Google Tag Manager (GTM) script on a website looks normal because the malicious script is coded to evade detection.
Once the malware was active it would record credit card information from a Magento ecommerce checkout page and send it to an external server controlled by a hacker.
Sucuri security researchers also discovered a backdoor PHP file. PHP files are the ‘building blocks’ of many dynamic websites built on platforms like Magento, WordPress, Drupal, and Joomla. Thus, a malware PHP file, once injected, can operate within the content management system.
This is the PHP file that researchers identified:
./media/index.php.
According to the advisory published on the Sucuri website:
“At the time of writing this article, we found that at least 6 websites were currently infected with this particular Google Tag Manager ID, indicating that this threat is actively affecting multiple sites.