On Monday security researchers reported that hackers are now abusing Google Analytics to steal credit card details of the users from the infected e-commerce websites.
According to the researchers from PerimeterX, Kaspersky, and Sansec, hackers inject malicious data-stealing code on the compromised websites in combination with tracking code generated by their own Google Analytics account, letting them abuse payment systems even in maximum web security.
Researchers have found dozens of websites that are compromised by threat actors across Europe and North and South America selling digital equipment, food products, and spare parts, cosmetics.
Abusing Content Security Policy
The attackers are compromising the e-commerce websites that are using Google Analytics for tracking visitors and whitelisted the associated domains in their Content Security Policy.
Content Security Policy is an extra layer of security that helps to detect and mitigate attacks such as cross-site scripting and data injection attacks.
Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics. As a result, an attacker can see the stolen data in their Google Analytics account
Kaspersky said in a report
The attackers using a small piece of javascript code that transmits the collected data into the credentials and payment information through an event and the other parameters that Google Analytics uses.
Administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources
Kaspersky noted
To make the attack more effective the attackers also ensure that the developer mode that is used to spot security errors and network request, is ON or not. If it is disabled then only attackers continue the attack.
Campaign Running Since March
Netherland based Sansec researchers have also uncovered a similar type of attack since March 17 that delivers malicious Javascript code on various stores hosted on Firebase.
For obfuscation attacker also created a temporary iFrame to load attackers Analytics. After that, the credit card details entered by the users are then encrypted and sent to the attacker’s analytics account which then decrypted by the attacker using the encryption key.