Cyber crooks are now abusing Google's Analytics service to stealthily harvest credit card information from compromised e-commerce sites. Attackers are injecting data-stealing code on the compromised websites together with tracking code generated by Google Analytics for their own account, which allows them to steal all the data entered by users even if content security policies are configured, according to a new Kaspersky report.
“Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account,” the researchers said.
Online stores use Google’s web analytics service for tracking visitors, for this reason, Google Analytics domains are whitelisted in their CSP configuration.
Kaspersky said it identified nearly two dozen infected websites across Europe and North and South America that specialize in selling digital equipment, cosmetics, food products, and spare parts.
In order to conceal malicious activity attackers use a classic anti-debugging technique, which involves leveraging code for checking whether Developer mode is enabled in the visitor’s browser. The malicious code is executed only if the result is negative.
“Curiously, the attackers left themselves a loophole — the option to monitor the script in Debug mode. If the browser’s local storage (localStorage) contains the value ‘debug_mode’==’11’, the malicious code will spring into life even with the developer tools open, and will go as far as to write comments to the console in clumsy English with errors. In screenshot 3, the line with the ‘debug_mode’ check follows the implementation of the RC4 encryption algorithm (used to encrypt the harvested data before sending it),” the security firm said.
Once the anti-debugging is passed, the script will collect data entered by users on the compromised website, as well as IP address, UserAgent, and time zone. The gathered data is then sent using the Google Analytics Measurement Protocol.
“Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users: administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources,” the researchers wrote.