Hackers use Google Analytics to steal credit cards, bypass CSP

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
Aug 17, 2014
12,923
124,772
8,399
Content source
https://www.bleepingcomputer.com/news/security/hackers-use-google-analytics-to-steal-credit-cards-bypass-csp/
Hackers are using Google's servers and the Google Analytics platform to steal credit card information submitted by customers of online stores.

A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks designed to scrape credit card data from several dozen e-commerce sites.

This new tactic takes advantage of the fact that e-commerce web sites using Google's web analytics service for tracking visitors are whitelisting Google Analytics domains in their CSP configuration (a security standard used to block the execution of untrusted code on web apps).

New research from web security companies Sansec and PerimeterX shows that using CSP to prevent credit card skimming attacks is pointless on sites that also deploy Google Analytics (GA) as threat actors can use it to exfiltrate harvested data to their own accounts.
Click to expand...

Blog | HUMAN Security

Check out the latest HUMAN Blogs for expert insights and industry expertise on digital threats.
www.perimeterx.com www.perimeterx.com
sansec.io

Digital skimmer runs entirely on Google, defeats CSP

sansec.io sansec.io
 
  • Wow
  • Like
  • +Reputation
Reactions: Deletedmessiah, HarborFront, SeriousHoax and 6 others
securelist.com

Web skimming with Google Analytics

Web skimming is a common class of attacks generally aimed at online shoppers. The principle is quite simple: malicious code is injected into the compromised site, which collects and sends user-entered data to a cybercriminal resource. If the attack is
securelist.com securelist.com
 
  • Like
  • +Reputation
Reactions: Protomartyr, CyberTech, SeriousHoax and 2 others
Adblocker like uBlock Origin's default filters: EasyPrivacy, Peter Lowe’s Ad and tracking server list and Adguard's: Adguard Tracking Protection which blocks "googleanalytics" script or the domain as a whole should keep users safe against this attack.
Edit: I couldn't even comment on this with EasyPrivacy enabled because the title of this post contains the words "Google Analytics" in it 😂
 
  • Like
  • +Reputation
Reactions: Protomartyr, CyberTech, Azure and 3 others
Stas said:
I think Firefox & Chromium Edge build-in Enhanced Tracking Protection blocks Google Analytics too.
Click to expand...
Looks like on Firefox it does for both Standard and Strict tracking protection but on Chromium Edge, only Strict blocks Google Analytics, balanced doesn't.
 
  • Like
Reactions: Protomartyr, silversurfer, Gandalf_The_Grey and 1 other person
You must log in or register to reply here.

You may also like...