Skip to main content

Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards.


Google Analytics
Researchers reported on Monday that hackers are now exploiting Google's Analytics service to stealthily pilfer credit card information from infected e-commerce sites.

According to several independent reports from PerimeterX Kaspersky, and Sansec, threat actors are now injecting data-stealing code on the compromised websites in combination with tracking code generated by Google Analytics for their own account, letting them exfiltrate payment information entered by users even in conditions where content security policies are enforced for maximum web security.

"Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics," Kaspersky said in a report published yesterday. "As a result, the attackers could access the stolen data in their Google Analytics account."

The cybersecurity firm said it found about two dozen infected websites across Europe and North and South America that specialized in selling digital equipment, cosmetics, food products, and spare parts.

Bypassing Content Security Policy.


The attack hinges on the premise that e-commerce websites using Google's web analytics service for tracking visitors have whitelisted the associated domains in their content security policy (CSP).


CSP is an added security measure that helps detect and mitigate threats stemming from cross-site scripting vulnerabilities and other forms of code injection attacks, including those embraced by various Magecart groups.

The security feature allows webmasters to define a set of domains the web browser should be allowed to interact with for a specific URL, thereby preventing the execution of untrusted code.

credit card hacking

"The source of the problem is that the CSP rule system isn't granular enough," PerimeterX's VP of research Amir Shaked said. "Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data (in this case, the user's email address and password)."

To harvest data using this technique, all that is needed is a small piece of JavaScript code that transmits the collected details like credentials and payment information through an event and other parameters that Google Analytics uses to uniquely identify different actions performed on a site.

"Administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What's more, the attack can be implemented without downloading code from external sources," Kaspersky noted.

To make the attacks more covert, the attackers also ascertain if developer mode — a feature that's often used to spot network requests and security errors, among other things — is enabled in the visitor's browser, and proceed only if the result of that check is negative.

A "Novel" Campaign Since March


In a separate report released yesterday, Netherlands-based Sansec, which tracks digital skimming attacks, uncovered a similar campaign since March 17 that delivered the malicious code on several stores using a JavaScript code that's hosted on Google's Firebase.

For obfuscation, the actor behind the operation created a temporary iFrame to load an attacker-controlled Google Analytics account. The credit card data entered on payment forms is then encrypted and sent to the analytics console from where it's recovered using the encryption key earlier used.

Given the widespread use of Google Analytics in these attacks, countermeasures like CSP will not work if attackers take advantage of an already allowed domain to hijack sensitive information.

google analytics

"A possible solution would come from adaptive URLs, adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts," Shaked concluded.

"A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement. This will essentially create a client-side WAF that can enforce a policy on where specific data field[s] are allowed to be transmitted."

As a customer, unfortunately, there isn't much you can do to safeguard yourself from formjacking attacks. Turning on developer mode in browsers can help when making online purchases.

But it's essential that you watch out for any instances of unauthorized purchases or identity theft.

THN

#osutayusuf

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.