Online payment details theft via Google Analytics service: Web Skimming
In June 2020, researchers uncovered a new technique for stealing users’ payment information on online shopping websites — a type of attack known as web skimming.
Web skimming is a popular practice used by attackers to steal users’ credit card details from the payment pages of online stores, whereby attackers inject pieces of code into the source code of the website. This malicious code then collects the data inputted by visitors to the site (i.e. payment account logins or credit card numbers) and sends the harvested data to the address specified by attackers in the malicious code.
To make the data flow to a third-party resource less visible, fraudsters often register domains resembling the names of popular web services, and in particular, Google Analytics (google-anatytics[.]com, google-analytcsapi[.]com, google-analytc[.]com, google-anaiytlcs[.]com, google-analytics[.]top, google-analytics[.]cm, google-analytics[.]to, google-analytics-js[.]com, googlc-analytics[.]com, etc.). But attack of this kind were also found to sometimes use the authentic service.
To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on analytics.google.com, get the tracking ID (trackingId, a string like this: UA-XXXX-Y), and insert it into the web pages together with the tracking code (a special snippet of code). Several tracking codes can rub shoulders on one site, sending data about visitors to different Google Analytics accounts.
This time, cyber criminals invented a new technique, abusing the capabilities of Google Analytics. By registering for web analytics accounts and injecting these accounts’ tracking code into the websites’ source code, attackers can collect users’ credit card details. About two dozen online stores worldwide were compromised using this method.
How to avoid web skimming issues
- Install security software/solutions that detect malicious scripts used in such attacks as HEUR:Trojan-PSW.Script.Generic.
- Do not install web applications and CMS components from untrusted sources. Keep all software up to date. Follow news about vulnerabilities and take recommended actions to patch them.
- Create strong passwords for all administration accounts.
Limit user rights to the minimum necessary. Keep track of the number of users who have access to service interfaces.
- Filter user-entered data and query parameters to prevent third-party code injection.
- For e-commerce sites, it is recommended to use PCI DSS-compliant payment gateways.
June 7, 2021