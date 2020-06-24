Several recent reports from companies in the field of cybersecurity denounce the recent rise of a cyber attack consisting of use Google Analytics (a service that collects information about visits and browsing habits and is present on millions of websites) for stealing credit card information from online store customers.

Kaspersky, Sansec and Perimeter have each released reports showing that a vulnerability in the market leading web analytics platform allows, previous injection of malicious code on the website of the online store, that attackers filter and collect information on the payment process, circumventing content security policies.

A flawed security model

Such Content Security Policies (CSP) are, according to Mozilla documentation, “an additional layer of security that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.”

But, as Google Analytics servers are included in the whitelist of your CSP configuration (In fact, they are the third-party service most commonly included in these lists), attackers only have to substitute a portion of the website’s Analytics Javascript code to use it in their favor.

As the CSP rules cannot discriminate based on the Analytics ID, so it is enough to change this one for that of your own accounts of this service for, according to Amir Shaked, of PerimeterX, get “the dp parameter (consisting of username and password) to be sent to the attacker’s dashboard”

In the words of Sansec CEO Willem de Groot to BleepingComputer, the problem is that

“Everything is allowed by default. CSP was invented to limit the execution of unreliable code. But since almost everyone trusts Google, the model is flawed.”

This is an example of the techniques of ‘skimming’ (digital pickpocketing), which are increasingly popular, although Google Analytics is not the only tool used for this (so are other web analytics applications, such as their equivalents in Chinese Baidu and Russian Yandex); in some cases ‘skimmers’ end up using ad servers that use banner ads as ‘Trojan horses’.

The group of cybercriminals Magecart, founded in 2016 and included in Wired’s Internet Most Dangerous People List in 2018, is considered responsible for many of the attacks that have resorted to this technique.

Share

They detect cyber attacks that use Google Analytics to steal payment information from users of online stores