Investigators reported Monday that hackers are now using Google’s analytics service to steal credit card information from infected e-commerce websites.

According to several independent reports from PerimeterX, Kaspersky and Sansec, the threat actors now inject data theft code on threatened websites in combination with the tracking code generated by Google Analytics for their account, allowing them to uninstall even user-recorded payment information. in conditions where content security policies are applied for maximum web security.

“The attackers injected malicious code into the sites, collected all user-entered data and then sent it through Analytics,” Kaspersky said in a report released yesterday. “As a result, attackers could access the stolen data in their Google Analytics account.”

The cybersecurity company said it found about two dozen infected websites in Europe and North and South America that specialize in selling digital equipment, cosmetics, food and spare parts.

Avoid the content security policy

The attack is based on the assumption that e-commerce websites that use Google’s web analytics service for tracking visitors have listed linked domains in their content security policy (PDC).

PDC is an additional security measure that helps detect and mitigate threats arising from cross-site scripting vulnerabilities and other types of code injection attacks, including those adopted by various Magecart groups.

The security feature allows webmasters to define a set of domains that the web browser should be able to interact with for a specific URL, preventing untrusted code execution.

“The source of the problem is that the PDC’s set of rules are not granular enough,” said Amir Shaked, PerimeterX’s vice president of research. “Recognizing and stopping the above malicious JavaScript application requires advanced visibility solutions that can detect the access and extinction of sensitive user data (in this case, the user’s email address and password).”

To collect data using this technique, all it takes is a small piece of JavaScript code that passes the collected details such as references and payment information through an event and other parameters that Google Analytics uses to identify ‘ n unique the different actions performed on a site.

“Administrators write * in the Content-Security-Policy heading (used to list resources from which third-party code can be downloaded), allowing the service to collect data. In addition, ‘ r attack without it downloading code from external sources, “Kaspersky noted.

To make attacks more hidden, attackers also find out whether a developer mode – a feature often used to detect network applications and security errors, among other things – is enabled in the visitor’s browser and only goes front if the outcome of that control is negative.

A “novel” campaign from March

In a separate report released yesterday, Sansec of the Netherlands, which tracks digital skimming attacks, unveiled a similar campaign since March 17 that introduced the malicious code to several stores using a JavaScript code hosted on Google’s Firebase.

For obfuscation, the actor behind the operation created a temporary iFrame to load an attacker-controlled Google Analytics account. The credit card information entered in the payment forms is then encrypted and sent to the analytics console where it is retrieved using the previously used encryption key.

Given the widespread use of Google Analytics in these attacks, countermeasures such as PDC will not work if attackers exploit an already authorized domain to hijack sensitive information.

“A possible solution could come from adaptive URLs, adding the ID as part of the URL or sub-domain to allow administrators to establish PDC rules that restrict the expulsion of data to other accounts,” Shaked concluded collection.

“A more granular direction in the future to strengthen the direction of the PDC for consideration as part of the PDC standard is to apply the XHR proxy. This will essentially create a client-side WAF that can enforce a policy on where for specific data fields to do that. is transmitted. ”

As a customer, unfortunately, you can’t do much to protect yourself from formatting attacks. Enabling developer mode in browsers can help when shopping online.

But it is essential to address any instances of unauthorized purchases or identity theft.


Please enter your comment!
Please enter your name here