Show vulnerabilities with patch / with exploit
23 June 2020

Hackers are exploiting Google Analitics in web skimming attacks


Hackers are exploiting Google Analitics in web skimming attacks

Cyber crooks are now abusing Google's Analytics service to stealthily harvest credit card information from compromised e-commerce sites. Attackers are injecting data-stealing code on the compromised websites together with tracking code generated by Google Analytics for their own account, which allows them to steal all the data entered by users even if content security policies are configured, according to a new Kaspersky report.

“Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account,” the researchers said.

Online stores use Google’s web analytics service for tracking visitors, for this reason, Google Analytics domains are whitelisted in their CSP configuration.

Kaspersky said it identified nearly two dozen infected websites across Europe and North and South America that specialize in selling digital equipment, cosmetics, food products, and spare parts.

In order to conceal malicious activity attackers use a classic anti-debugging technique, which involves leveraging code for checking whether Developer mode is enabled in the visitor’s browser. The malicious code is executed only if the result is negative.

“Curiously, the attackers left themselves a loophole — the option to monitor the script in Debug mode. If the browser’s local storage (localStorage) contains the value ‘debug_mode’==’11’, the malicious code will spring into life even with the developer tools open, and will go as far as to write comments to the console in clumsy English with errors. In screenshot 3, the line with the ‘debug_mode’ check follows the implementation of the RC4 encryption algorithm (used to encrypt the harvested data before sending it),” the security firm said.

Once the anti-debugging is passed, the script will collect data entered by users on the compromised website, as well as IP address, UserAgent, and time zone. The gathered data is then sent using the Google Analytics Measurement Protocol.

“Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users: administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources,” the researchers wrote.

Back to the list

Latest Posts

Weekly security roundup: July 13, 2020

Weekly security roundup: July 13, 2020

A short overview of last week's top stories in the world of cyber security.
13 July 2020
Hackers are attempting to exploit recent Citrix vulnerabilities

Hackers are attempting to exploit recent Citrix vulnerabilities

Citrix downplayed the impact of the vulnerabilities and said they are less likely to be exploited compared to CVE-2019-19781.
13 July 2020
Zoom patches critical bug affecting Zoom client for Windows

Zoom patches critical bug affecting Zoom client for Windows

The company has also released a planned update for Phone and Web users, which brings AES-256 bit encryption.
13 July 2020