Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards

Jun 23, 2020

Researchers reported on Monday that hackers are now exploiting
Google’s Analytics service to stealthily pilfer credit card
information from infected e-commerce sites.

According to several independent reports from PerimeterX ^[1], Kaspersky ^[2], and Sansec ^[3], threat actors are now
injecting data-stealing code on the compromised websites in
combination with tracking code generated by Google Analytics for
their own account, letting them exfiltrate payment information
entered by users even in conditions where content security policies
are enforced for maximum web security.

“Attackers injected malicious code into sites, which collected
all the data entered by users and then sent it via Analytics,”
Kaspersky said in a report published yesterday. “As a result, the
attackers could access the stolen data in their Google Analytics
account.”

The cybersecurity firm said it found about two dozen infected
websites across Europe and North and South America that specialized
in selling digital equipment, cosmetics, food products, and spare
parts.

Bypassing Content Security Policy

The attack hinges on the premise that e-commerce websites using
Google’s web analytics service for tracking visitors have
whitelisted the associated domains in their content security policy
(CSP).

CSP is an added security
measure that helps detect and mitigate threats stemming from
cross-site scripting
vulnerabilities and other forms of code injection attacks,
including those embraced by various Magecart
groups.

The security feature allows webmasters to define a set of
domains the web browser should be allowed to interact with for a
specific URL, thereby preventing the execution of untrusted
code.

“The source of the problem is that the CSP rule system isn’t
granular enough,” PerimeterX’s VP of research Amir Shaked said.
“Recognizing and stopping the above malicious JavaScript request
requires advanced visibility solutions that can detect the access
and exfiltration of sensitive user data (in this case, the user’s
email address and password).”

To harvest data using this technique, all that is needed is a
small piece of JavaScript code that transmits the collected details
like credentials and payment information through an event and other
parameters that Google Analytics uses to uniquely identify
different actions performed on a site.

“Administrators write *.google-analytics.com into the
Content-Security-Policy header (used for listing resources from
which third-party code can be downloaded), allowing the service to
collect data. What’s more, the attack can be implemented without
downloading code from external sources,” Kaspersky noted.

To make the attacks more covert, the attackers also ascertain if
developer mode — a feature that’s often used to spot network
requests and security errors, among other things — is enabled in
the visitor’s browser, and proceed only if the result of that check
is negative.

A “Novel” Campaign Since March

In a separate report released yesterday, Netherlands-based Sansec,
which tracks digital skimming attacks, uncovered a similar campaign
since March 17 that delivered the malicious code on several stores
using a JavaScript code that’s hosted on Google’s Firebase.

For obfuscation, the actor behind the operation created a
temporary iFrame to load an attacker-controlled Google Analytics
account. The credit card data entered on payment forms is then
encrypted and sent to the analytics console from where it’s
recovered using the encryption key earlier used.

Given the widespread use of Google Analytics in these attacks,
countermeasures like CSP will not work if attackers take advantage
of an already allowed domain to hijack sensitive information.

“A possible solution would come from adaptive URLs, adding the ID
as part of the URL or subdomain to allow admins to set CSP rules
that restrict data exfiltration to other accounts,” Shaked
concluded.

“A more granular future direction for strengthening CSP
direction to consider as part of the CSP standard is XHR
proxy ^[7] enforcement. This will
essentially create a client-side WAF ^[8] that can enforce a
policy on where specific data field[s] are allowed to be
transmitted.”

As a customer, unfortunately, there isn’t much you can do to
safeguard yourself from formjacking attacks. Turning on developer
mode in browsers can help when making online purchases.

But it’s essential that you watch out for any instances of
unauthorized purchases or identity theft.

^[4]^[5]^[6]

References

^{^}
PerimeterX
(www.perimeterx.com)
^{^}
Kaspersky
(securelist.com)
^{^}
Sansec
(sansec.io)
^{^}
added security measure
(developer.mozilla.org)
^{^}
cross-site scripting
(owasp.org)
^{^}
Magecart groups
(thehackernews.com)
^{^}
XHR
proxy (en.wikipedia.org)
^{^}
WAF
(thehackernews.com)

The Hacker News Headlines

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

Aug 18, 2023

The Hacker News Headlines

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

Aug 18, 2023

The Hacker News Headlines

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

Aug 18, 2023

OWASP TOP !0

Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Cross-Site Scripting XSS. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards

Bypassing Content Security Policy

A “Novel” Campaign Since March

References

Related Post

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

You missed

Protected: Rotary VI EAST

Protected: BetterCyberCareer Group

Protected: Benin Club 1931 – Official

Protected: Whatsapp AI Automation Group