Posted on June 24, 2020 at 11:15 AM
A recent report reveals that hackers are using Google Analytics and Google’s servers platform to steal credit card information from customers who submitted at online stores.
The hackers are using Google Analytics API to bypass Content Security Policy(CSP), as it has already been used in ongoing Magecart attacks. The hacking activity was designed to steal details of credit cards from dozens of eCommerce sites.
Based on independent reports from sources like Sansec, Kaspersky, and PerimeterX, the hackers are now planting data-stealing codes on the infected websites along with tracking codes generated by Google Analytics. It allows hackers to steal payment information entered by the users, even when content security is fully enforced.
“Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics,” Kaspersky reported yesterday.
The cybersecurity company also pointed out that the hackers can have access to the stolen data in their Google Analytics accounts.
Circumventing Content Security Policy
The hacking method benefits from the fact that e-commerce websites making use of Google’s web analytics are whitelisting Google analytics domains.
According to security firms PerimeterX and Sansec, it’s a waste of time to use CSP to prevent credit card hacking attacks on sites that use Google Analytics. That’s because threat actors can easily harvest data to their accounts.
PerimeterX discovered that there is core functionality in CSP that will be easy to exploit by hackers when it’s used for blocking credit card or credential theft.
CSP is an additional security measure used in detecting and mitigating threats from cross-site scripting vulnerabilities. It’s also used to prevent attacks from other types of code-injecting attacks.
The security protocol gives site owners the ability to set definite levels and interactive points between the web browser and a specific URL, which is aimed at preventing the execution of untrusted code.
It also looks at other areas that Google Analytics utilizes to exclusively identify different actions on the site. Kaspersky noted that another interesting thing is the fact that the actors can implement the attack without downloading external source code.
To keep the attack more hidden, the actors also find out whether the developer mode has been activated on the visitor’s browser. If it’s not enabled, the hacker will now proceed to its next point of action. The developer mode is a feature often utilized to spot security errors and network requests. It’s an important feature that protects the network against exploitation.
Possible data theft prevention
To further conceal the hacking actions, the hacker set up a temporary iFrame to stack an attacker-controlled Google Analytics account. Afterward, the details of the credit card data are encrypted and delivered to the analytics console. From there the encryption key is used to recover the details.
With the common use of Google Analytics in the attacks, measures like CPS will not be effective if the actors steal sensitive information by taking advantage of an already allowed domain.
The only viable solution would be through adaptive URLs or including the ID as part of the subdomain or ERL. This will enable admins to establish CSP rules that prevent data exfiltration to other accounts, Sansec concluded.