Hackers misuse Google Apps Script (a scripting platform developed by Google for easy application development on the Google Workspace platform) for the purpose of stealing credit card information submitted by customers E-commerce sites during online shopping. In particular, malicious agents use domain script.google.com to successfully hide their malicious activity from scanners malware and bypass the Content Security Policy (CSP).
According to BleepingComputer, hackers are taking advantage of the fact that online stores would consider the Google Apps Script domain trustworthy and possibly in the list of all allowed Google subdomains in their CSP configuration of their sites (a security standard to prevent unreliable execution code in web applications).
Credit card skimmers (Magecart payment card scripts or skimmers) are Java-based scripts introduced by cybercrime groups - known as Magecart groups - in online stores during e-skimming attacks.
Once developed, scripts allow hackers to collect money and personal information submitted by customers of compromised stores and then transfer it to servers under their control.
This new payment information theft tactic was discovered by security researcher Eric Brandel while analyzing data of Early Detach Detection provided by Sansec, a company cyber security focused on combating digital skimming.
Brandel found that the malicious skimmer script introduced by e-commerce site intruders affected the payment information submitted by users.
All payment information stolen from compromised online stores was sent as JSON data with base64 encoding to a Google Apps Script custom app, using the script [.] Google [.] Com as the end point of the "removal". After reaching the end point of the Google Apps script, the data was forwarded to another server - site associated with Israel analit [.] tech Which is controlled by hackers.
This is not the first time malicious agents have abused Google's service. In the past, there has been a similar incident, behind which the hacking team was “FIN7” (also known as Carbanak or Cobalt), which misused Google Sheets and Google Forms for malware command-and-control. Since mid-2015, FIN7 has targeted banks and PoS (point-of-sale) terminals of EU companies. and of USA, using Carbanak backdoor.
According to Sansec, e-commerce site administrators must ensure that intruders will not be able to enter unauthorized code. Monitoring for server-side malware and vulnerabilities is essential to any modern security policy.
Hackers abused other Google services during Magecart attacks, with Google Analytics has been used by malicious agents to steal payment information from dozens of online stores.
What made the attacks worse was that by abusing the Google Analytics API, malicious agents could also bypass CSP by seeing web stores add Google Web Analytics to CSP configuration for visitor tracking. .
According to Sansec and PerimeterX, instead of blocking injection-based attacks, Google Analytics scripts were allowed, which allowed hackers to use them to steal and remove data. This was done using a web skimmer script specifically designed to encrypt stolen data and send it to the intruder 's Google Analytics control panel in encrypted form.
Based on the statistics provided by BuiltWith, over 28 million sites currently use Google's web analytics services.
In addition, Sansec noted that when a skimming campaign runs entirely on trusted Google servers, very few security systems will identify it as "suspicious". Most importantly, popular countermeasures, such as CSP, will not be effective when a webmaster trusts Google.
Finally, Willem de Groot, CEO and founder of Sansec, told BleepingComputer that CSP was invented to limit the execution of unreliable code. But because almost everyone trusts Google, the model is "defective".