Attackers inject malicious code that collects payment data onto a hacked site.
Cybercriminals use Google Analytics to steal credit card information from compromised e-commerce sites. According to experts from Kaspersky Lab, the attackers inject malicious code into the hacked site that collects the payment data entered by the user and sends them through Google Analytics to a resource controlled by the attacker.
Attackers often register domains that resemble the names of popular web services in order to make sending data to a third-party resource less noticeable. According to experts, legitimate services were sometimes used during such attacks. The attack is based on the premise that e-commerce websites that use Google’s service to track visitors have included the appropriate domains in their Content Security Policy (CSP).
CSP is an additional security measure that helps you detect threats from cross-site scripting vulnerabilities and other forms of code injection attacks, including Magecart attacks.
To collect data about visitors using Google Analytics, the site owner needs to configure the tracking settings in his personal account on analytics.google.com, get the tracking code (trackingId) and embed a tracking code with it on the resource pages. According to experts, on one site there may be several such tracking codes that send data about visitors to different Google Analytics accounts.
As the researchers noted, criminals also left themselves the opportunity to observe the script in debug mode. If the local storage of the browser has the value ‘debug_mode’ == ’11’, the malicious code will work even when the developer tools are open and will write comments in English with errors in the console. Once anti-debugging is completed, the script will steal all user-entered data on the site.
Experts have discovered about two dozen infected sites around the world. The victims of the criminals turned out to be stores from Europe, North and South America, selling digital equipment, cosmetics, food and spare parts.