LAST UPDATED: June 26, 2020, 07:00 a.m. EST: On Monday, Kaspersky, Sansec, and PerimeterX all three published reports saying, hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards information. Hackers are exploiting the Content Security Policy (CSP) using their own google analytics code to access the credit card information. According to reports, attackers are injecting data-stealing code onto the infected sites along with a Google Analytics tracking code for their own account.
CSP whitelist the google related codes. Hackers are exploiting this feature. However, this hacking is done to e-commerce websites only, where users have to put their credit card information to shop something.
By injecting code and using Google Analytics tracking, they exfiltrate payment information entered by customers, even when high-security policies are enforced. A report published by Kaspersky indicates the finding of more than two dozen websites, specialized in selling physical goods, cosmetics, spare parts, and food products that are affected by this.
Sansec and PerimeterX said that using CSP features to prevent the credit card hacking by hackers is pointless if the e-commerce website has also deployed Google analytics code to their website.
On June 17, PerimeterX reported, “an easy to reproduce vulnerability in the core functionality of CSP when using it for blocking theft of credentials, PII and payment data like credit cards.”
The purpose of CSP is to block the injection-based attacks, But Allowing Google Analytics scripts benefits attackers as they can utilize Google analytic codes to steal users’ data. This is done through a web skimmer script that is specifically designed to encode stolen credit card data and deliver it to the attacker’s Google analytics dashboard in an encrypted form.
In order to do this, attackers only have to use their own Tag ID owner of the (UA-Code) form as “the CSP policy can’t discriminate based on the Tag ID” for their scripts to be able to abuse GA for sending info about credit card data.
Amir Shaked, VP of R&D at PerimeterX explained the whole process in his blog post by using GA as an example to show how attackers using hosts whitelisted in CSP as it is the most commonly whitelisted third-party service in CSP configs.
Netherlands-based Sansec’s Threat Research Team also revealed that they were tracking issues in the Magecart campaign since March 17. They found that attackers were misusing google analytics to bypass CSP on various e-commerce sites using Google Analytics code.
The hackers performed all the campaign components using Google servers, as they delivered the credit card web skimmer to their targeted sites via Google’s open storage platform firebasestorage.googleapis.com.
Magecart runs on dodgy servers in tax havens. But when a skimming campaign by hackers runs entirely on trusted Google servers, then only a few security systems will flag it as ‘harmful’. Also, security measures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google.
This problem is huge because Out of the top 3 million domains worldwide, only 210,000 are using CSP according to statistics from PerimeterX. This data is based on an HTTP Archive scan from March 2020. Out of which 17,000 of the domains are whitelisting the google-analytics.com.
Based on statistics provided by BuiltWith, currently, 29 million websites are using Google’s GA web analytics services. Baidu Analytics and Yandex Metrika are being used by more than 7 million and 2 million, respectively.
The only possible solution to this is Strengthening CSPs.
A possible solution would come from adaptive URLs, adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts.
A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement. This will essentially create a client-side WAF that can enforce a policy on where specific data field are allowed to be transmitted.
While CSP is a useful tool to have in your web security tool belt, it is not foolproof. In addition to the complexity of managing CSP rules, this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection — Amir Shaked
Google Responded to this issue by saying “We were recently notified of this activity and immediately suspended the offending accounts for violating our terms of service, When we find unauthorized use of Google Analytics, we take action.”