Show vulnerabilities with patch / with exploit
23 June 2020

Hackers are exploiting Google Analitics in web skimming attacks


Hackers are exploiting Google Analitics in web skimming attacks

Cyber crooks are now abusing Google's Analytics service to stealthily harvest credit card information from compromised e-commerce sites. Attackers are injecting data-stealing code on the compromised websites together with tracking code generated by Google Analytics for their own account, which allows them to steal all the data entered by users even if content security policies are configured, according to a new Kaspersky report.

“Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account,” the researchers said.

Online stores use Google’s web analytics service for tracking visitors, for this reason, Google Analytics domains are whitelisted in their CSP configuration.

Kaspersky said it identified nearly two dozen infected websites across Europe and North and South America that specialize in selling digital equipment, cosmetics, food products, and spare parts.

In order to conceal malicious activity attackers use a classic anti-debugging technique, which involves leveraging code for checking whether Developer mode is enabled in the visitor’s browser. The malicious code is executed only if the result is negative.

“Curiously, the attackers left themselves a loophole — the option to monitor the script in Debug mode. If the browser’s local storage (localStorage) contains the value ‘debug_mode’==’11’, the malicious code will spring into life even with the developer tools open, and will go as far as to write comments to the console in clumsy English with errors. In screenshot 3, the line with the ‘debug_mode’ check follows the implementation of the RC4 encryption algorithm (used to encrypt the harvested data before sending it),” the security firm said.

Once the anti-debugging is passed, the script will collect data entered by users on the compromised website, as well as IP address, UserAgent, and time zone. The gathered data is then sent using the Google Analytics Measurement Protocol.

“Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users: administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources,” the researchers wrote.

Back to the list

Latest Posts

Vulnerability summary for the week: July 10, 2020

Vulnerability summary for the week: July 10, 2020

Weekly vulnerability digest.
10 July 2020
Evilnum, FIN6, and Cobalt Group share the same malware provider

Evilnum, FIN6, and Cobalt Group share the same malware provider

The Evilnum group’s toolset and infrastructure have evolved and now include custom malware as well as tools bought from a MaaS provider called Golden Chickens.
10 July 2020
RCE-bug found in Zoom client for Windows

RCE-bug found in Zoom client for Windows

The flaw is only exploitable on systems running Windows 7 and older Windows versions.
10 July 2020