DACKLY
No Result
View All Result
  • Technology
  • Business
  • Finance
  • Gaming
  • Mobile Tech
  • Reviews
  • Technology
  • Business
  • Finance
  • Gaming
  • Mobile Tech
  • Reviews
No Result
View All Result
DACKLY
No Result
View All Result
Home Business

Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards information

DACKLY by DACKLY
June 26, 2020
in Business
0
Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards information by dackly.com
5
SHARES
106
VIEWS
Share on FacebookShare on Twitter
ADVERTISEMENT

LAST UPDATED: June 26, 2020, 07:00 a.m. EST:  On Monday, Kaspersky, Sansec, and PerimeterX all three published reports saying,  hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards information.  Hackers are exploiting the  Content Security Policy (CSP) using their own google analytics code to access the credit card information. According to reports, attackers are injecting data-stealing code onto the infected sites along with a Google Analytics tracking code for their own account.

CSP whitelist the google related codes. Hackers are exploiting this feature. However, this hacking is done to e-commerce websites only, where users have to put their credit card information to shop something.

By injecting code and using Google Analytics tracking, they exfiltrate payment information entered by customers, even when high-security policies are enforced. A report published by Kaspersky indicates the finding of more than two dozen websites, specialized in selling physical goods, cosmetics, spare parts, and food products that are affected by this.

Sansec and PerimeterX said that using CSP features to prevent the credit card hacking by hackers is pointless if the e-commerce website has also deployed Google analytics code to their website.

On June 17, PerimeterX reported, “an easy to reproduce vulnerability in the core functionality of CSP when using it for blocking theft of credentials, PII and payment data like credit cards.”

The purpose of CSP is to block the injection-based attacks, But Allowing Google Analytics scripts benefits attackers as they can utilize Google analytic codes to steal users’ data. This is done through a web skimmer script that is specifically designed to encode stolen credit card data and deliver it to the attacker’s Google analytics dashboard in an encrypted form.

In order to do this, attackers only have to use their own Tag ID owner of the (UA-Code) form as “the CSP policy can’t discriminate based on the Tag ID” for their scripts to be able to abuse GA for sending info about credit card data.

Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards information
JavaScript code abusing GA for exfiltration purpose

Amir Shaked, VP of R&D at PerimeterX explained the whole process in his blog post by using GA as an example to show how attackers using hosts whitelisted in CSP as it is the most commonly whitelisted third-party service in CSP configs.

Netherlands-based Sansec’s Threat Research Team also revealed that they were tracking issues in the Magecart campaign since March 17. They found that attackers were misusing google analytics to bypass CSP on various e-commerce sites using Google Analytics code.

js code in the website

The hackers performed all the campaign components using Google servers, as they delivered the credit card web skimmer to their targeted sites via Google’s open storage platform firebasestorage.googleapis.com.

ADVERTISEMENT

Magecart runs on dodgy servers in tax havens. But when a skimming campaign by hackers runs entirely on trusted Google servers, then only a few security systems will flag it as ‘harmful’. Also, security measures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google.

Credit Card Data in Google Analytics (Highlighted)

This problem is huge because Out of the top 3 million domains worldwide, only 210,000 are using CSP according to statistics from PerimeterX. This data is based on an HTTP Archive scan from March 2020. Out of which 17,000 of the domains are whitelisting the google-analytics.com.

Based on statistics provided by BuiltWith, currently, 29 million websites are using Google’s GA web analytics services. Baidu Analytics and Yandex Metrika are being used by more than 7 million and 2 million, respectively.

The only possible solution to this is Strengthening CSPs.

A possible solution would come from adaptive URLs, adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts.

A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement. This will essentially create a client-side WAF that can enforce a policy on where specific data field are allowed to be transmitted.

While CSP is a useful tool to have in your web security tool belt, it is not foolproof. In addition to the complexity of managing CSP rules, this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection — Amir Shaked

Google Responded to this issue by saying “We were recently notified of this activity and immediately suspended the offending accounts for violating our terms of service, When we find unauthorized use of Google Analytics, we take action.”

Read more: WHATSAPP IS TESTING ANIMATED STICKERS ON ANDROID, IOS

ADVERTISEMENT
Previous Post

WhatsApp Is Testing Animated Stickers On Android, iOS

Next Post

Google Photos Gets A Complete redesigned layout, map view and a new logo

Next Post
Google Photos Gets A Complete redesigned layout, map view and a new logo

Google Photos Gets A Complete redesigned layout, map view and a new logo

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended Stories

Amazon bans police use of facial recognition software for a year

Amazon bans police use of facial recognition software for a year

June 21, 2020
How to watch Sony’s PlayStation 5 event on June 11

How to watch Sony PlayStation 5 event on June 11

June 9, 2020
Mark Zuckerberg lost $7 billion as Coca-Cola halts all social media advertising for 30 days

Mark Zuckerberg lost $7 billion as Coca-Cola halts all social media advertising for 30 days

June 29, 2020

Popular Stories

  • PlayStation announces $50,000 bug bounty program for ps4

    PlayStation announces $50,000 bug bounty program for ps4

    0 shares
    Share 0 Tweet 0
  • Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards information

    5 shares
    Share 5 Tweet 0
  • Fortnite 13.20 update: Flare guns burn builds, upgrade benches go portable and much more

    0 shares
    Share 0 Tweet 0
  • Horizon Forbidden West is launching in 2021 on PS5

    0 shares
    Share 0 Tweet 0
  • Honeywell Claims they’ve got the fastest quantum computer on the planet

    0 shares
    Share 0 Tweet 0
ADVERTISEMENT
DACKLY

Dackly Media is not just a blog! It is a Digital Media Outlet brand run by passionate young entrepreneurs covering global news. We write about trending and developing news stories in the sector of Technology, Business, Finance, Gaming & Mobile Tech.

Recent Posts

  • Fortnite 13.20 update: Flare guns burn builds, upgrade benches go portable and much more
  • Google Is Holding A Virtual Summer Camp For Kids Tired Of Quarantine
  • Facebook partners with Full Fact to help people spot fake news
  • Amazon paying $500 million in bonuses to workers most exposed to coronavirus

Categories

  • Business
  • Finance
  • Gaming
  • Mobile Tech
  • Reviews
  • Technology
  • Home
  • About Us
  • Contact Us
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy

Copyright 2020 © DACKLY

No Result
View All Result
  • Technology
  • Business
  • Finance
  • Gaming
  • Mobile Tech
  • Reviews

Copyright 2020 © DACKLY

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?