silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
Hackers are using Google's servers and the Google Analytics platform to steal credit card information submitted by customers of online stores.
A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks designed to scrape credit card data from several dozen e-commerce sites.
This new tactic takes advantage of the fact that e-commerce web sites using Google's web analytics service for tracking visitors are whitelisting Google Analytics domains in their CSP configuration (a security standard used to block the execution of untrusted code on web apps).
New research from web security companies Sansec and PerimeterX shows that using CSP to prevent credit card skimming attacks is pointless on sites that also deploy Google Analytics (GA) as threat actors can use it to exfiltrate harvested data to their own accounts.