Hackers use Google servers and the Google Analytics platform to steal credit card data from users making purchases and payments on online stores. A new method for bypassing Content Security Policy (CSP) using the Google Analytics API that came to light a few days ago has already been developed in ongoing attacks. Magecart designed to collect credit card data from an e-commerce site. This new tactic takes advantage of the fact that e-commerce sites that use Google Analytics to track visitors provide the list of allowed domain of Google Analytics in their CSP configuration, which is a security template used to block unreliable web code execution applications.
New research from online security companies Sansec and PerimeterX reveals that using CSP to prevent credit card infringement attacks is pointless on sites that develop Google Analytics, as hackers can use it to transfer the stolen data to their own accounts. A few days ago, PerimeterX spotted a vulnerability in CSP's core functionality when used to block theft. credential, PII and payment details such as credit cards. Instead of blocking infusion-based attacks, Google Analytics helps hackers take advantage of it, as they can use it to steal data. This is done through a web skimmer script specifically designed to encrypt stolen data and deliver it to the attacker's GA control panel in encrypted form. Hackers should only use their own UA tag ID holder - ####### - # form as CSP policy cannot discriminate based on the tag ID of their scripts in order to abuse GA aimed at sending collected information such as credentials and credit card data. PerimeterX Vice President Amir Shaked said the source of the problem was the fact that system CSP rules are not quite "grainy".
Recognizing and blocking scripts designed to exploit this flaw requires advanced solutions that can detect access and theft - transfer of sensitive user data. In this case the sensitive information is addresses e-mail and user passwords. Of the world's top 3 million domains, only 210.000 use CSP, according to PerimeterX statistics released by a HTTPArrchive scan from March 2020. 17.000 sites accessible through these domains list google-allowed listings. analytics.com. According to statistics provided by BuiltWith, more than 29 million sites use Google Analytics, with Baidu Analytics and Yandex Metrika being used on more than 7 million and 2 million sites, respectively.
Sansec's threat research team said it had been monitoring a Magecart campaign since March 17, with hackers taking advantage of the problem to bypass CSP on dozens of e-commerce sites using Google Analytics. The hackers behind the campaign went one step further by ensuring that all elements of the campaign used Google servers, as they transferred the web card credit card skimmer to their target sites through Google's open storage platform firebasestorage.googleapis.com. Sansec explained that when a skimming campaign is run entirely on trusted Google servers, very few security systems will mark it as suspicious, while popular countermeasures, such as Content-Security-Policy (CSP), will not work when a site administrator trusts it. Google. The loader used by hackers to inject web skimmer has many levels and is used to load a GA account controlled by intruders into a temporary iFrame. Once loaded, the skimmer monitors the hacked site for user login and steals credit card details that have been entered, encrypts them and automatically transfers them to the GA control panel of the hackers. Hackers can then collect stolen credit card data from the free Google Analytics control panel and decrypt it using a key. encryption XOR.
According to Sansec, if the customers of an online store, whose data was violated, opened its programming tools browser they would be notified and the skimmer would be turned off automatically. Sansec CEO and founder Willem de Groot told BleepingComputer that everything is allowed by default. The CSP was created to limit unreliable execution code. But because almost everyone trusts Google, the model is flawed. Based on these findings, CSP is far from infallible against injectable web-based applications such as Magecart if hackers find a way to take advantage of an already permitted domain or service to steal information. A solution could come from custom URLs, with the addition of an ID as part of the URL or subdomain to allow administrators to set CSP rules that restrict the sending of data to other accounts.