Attack surface management, Network Security, Threat Intelligence

WordPress spam campaign abuses Google Tag Manager scripts

A recent WordPress attack abused Google Tag Manager to redirect visitors to a spam page, Sucuri researchers reported last week.

The attack avoided the use of files or infection via themes and plugins by injecting a script directly into the wp_options and wp_posts tables.

The script was added under the option name ihaf_insert_body in the wp_options table, causing it to be injected into the body of every page on the targeted site.

Google Tag Manager (GTM) allows site managers to track user activity using certain tags, triggers and variables, and supports the use of tags containing custom HTML. This is meant to provide users with more flexibility to track visitor behavior in ways that aren’t supported by built-in tags.

However, this feature could be abused by threat actors to add malicious JavaScript to a custom tag. Because GTM is considered to be a trusted service, malicious GTM tags may go overlooked in security scans.

In the recent attack, the GTM tag was suspected to have been added using a compromised administrator account for the targeted site. The tag loaded JavaScript that caused visitors to be redirected to a spam page called spelletjes[.]nl after spending about five seconds on the original WordPress site.

Once the tag container was injected, the attacker would be able to control the payload from their GTM account unless the container was removed. Using the search service PublicWWW, Sucuri found that more than 200 websites were infected in this campaign.

Such malicious redirects can not only subject site visitors to potential harm, but can also damage a site’s reputation, search engine optimization (SEO) and traffic conversions, and even cause the site itself to be flagged as malicious, Sucuri researchers noted.

Sucuri recommended WordPress site owners inspect their sites for suspicious GTM tags; GTM users should also be on alert for any suspicious custom tags created on their accounts. WordPress extensions should be kept up-to-date and wp-admin accounts should be protected with two-factor authentication (2FA) to help prevent file or table manipulation.

Google Tag Manager was previously abused on e-commerce sites to deploy e-skimmers, including in a campaign targeting Magento-based online stores earlier this year.

Attacks that target WordPress database tables rather than themes, plugins and file systems can often evade file-scanning security tools; in a separate campaign earlier this year, Sucuri found credit card skimming malware injected in the wp_options table under the option name widget_block.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

ACK PiggybackingAddress Resolution Protocol (ARP)BandwidthBastion HostBorder Gateway Protocol (BGP)Domain NameDrive-by DownloadDumpSecDumpster DivingReconnaissance

You can skip this ad in 5 seconds