Hackers Exploit Google Analytics to Steal Credit Card Information from E-commerce Sites
Cybersecurity experts have unveiled a serious threat affecting e-commerce platforms, where hackers are leveraging Google Analytics to siphon credit card information from unsuspecting users. This alarming trend was reported by industry leaders, including PerimeterX, Kaspersky, and Sansec, highlighting a sophisticated method that allows these attackers to harvest sensitive data without the website administrators’ knowledge.
The compromised sites are primarily located in North America and Europe, specializing in various products ranging from digital devices to cosmetics and food. By injecting malicious code into these platforms, attackers can collect inputted payment data and funnel it through Google Analytics. As a result, the attackers gain access to this sensitive information through their own Google Analytics accounts, circumventing even the most stringent content security policies (CSP) set to protect user data.
Kaspersky remarked on the alarming ease with which attackers can execute this scheme. According to their findings, once the malicious code is injected, it effectively captures all data entered by users and subsequently transmits it via the legitimate analytics channels. This loophole plays on the trust websites place in Google Analytics as a safe third-party service, allowing the attackers to blend their operations seamlessly with authorized traffic.
Content Security Policy is meant to bolster website protections against various types of code injection attacks, including those characteristic of the infamous Magecart groups known for digital skimming. However, the CSP typically whitelists Google’s domains, effectively rendering it useless against these particular attacks. The inherent flaw lies in the lack of granularity within the CSP rule system. As stated by Amir Shaked, VP of Research at PerimeterX, advanced detection mechanisms are essential to identify unauthorized data access and prevent the exfiltration of sensitive information.
The method employed is surprisingly simple; a small snippet of JavaScript is used to capture credentials and other sensitive details. This data is sent as part of an event tracked by Google Analytics, making it nearly undetectable. Interestingly, attackers have found ways to ensure their operations remain concealed by checking whether developer mode is active in the victim’s browser, aborting the attack if it is enabled.
Since mid-March, another campaign has emerged in the cyber landscape, also exploiting Google services. This operation was discovered by Sansec, which revealed that attackers are utilizing JavaScript hosted on Google’s Firebase to deliver similar malicious payloads. Their obfuscation techniques include using iFrames to control Google Analytics accounts, encrypting payment information before sending it to the console, thereby complicating recovery by the affected businesses.
In light of these developments, it’s evident that traditional cybersecurity measures like CSP may not stand up against such attacks if attackers can manipulate existing trust in whitelisted domains. Solutions such as adopting adaptive URLs might offer some respite by enabling businesses to refine their CSP rules to restrict unauthorized data exfiltration.
As the attack vectors evolve, the MITRE ATT&CK framework provides a valuable lens to understand the adversary tactics at play here. Techniques likely employed during these attacks include initial access via web-based exploits, execution of malicious code through code injection, and exfiltration of data disguised as legitimate analytics traffic.
For business owners, the implications are significant. While the onus lies on web administrators to implement robust cybersecurity measures, there remains little individuals can do to protect themselves from such sophisticated formjacking schemes. Awareness is paramount. Vigilance regarding unauthorized transactions and identity theft is crucial in this increasingly perilous digital landscape.
In summary, as attackers refine their methods, the urgency for businesses to stay informed and prioritize cybersecurity efforts becomes more critical than ever. The exploitation of trusted services like Google Analytics showcases the sophisticated tactics employed by cybercriminals, making it essential for stakeholders to fortify their defenses against such breaches.
