sb-eu logo
Story image

Cybercrims' web skimming strategies taint web analytics platforms

30 Jun 2020

While cybercriminals commonly use web skimming to steal people’s credit card details and personal information directly off online stores’ checkout pages, it is not often those attacks go as far as using legitimate web analytics platforms like Google Analytics. However, researchers from Kaspersky have found that some cybercriminals are doing exactly that. 

Normally, web skimming injects malicious code into a website’s source code. That code then captures personal information like logins and credit card numbers, and sends it directly to an address specified by the perpetrators.

Criminals will often ‘fake’ domains that look like genuine web analytics services, like googlc.analytics[.]com, so that site administrators who aren’t looking too closely would be fooled.

However, researchers say that criminals are now trying something different.

“Rather than redirecting the data to third-party sources, they redirected it to official Google Analytics accounts. Once the attackers registered their accounts on Google Analytics, all they had to do was configure the accounts’ tracking parameters to receive a tracking ID. They then injected the malicious code along with the tracking ID into the webpage’s source code, allowing them to collect data about visitors and have it sent directly to their Google Analytics accounts,” the researchers explain.

This time it is even more difficult for site administrators to detect trickery because the information is going to a genuine analytics account.

Additionally, criminals use an anti-debugging technique that hides the malicious code if site administrators look at the source code in developer mode.

“This is a technique we have not seen before, and one that is particularly effective. Google Analytics is one of the most popular web analytics services out there. The vast majority of developers and users trust it, meaning it’s frequently given permission to collect user data by site administrators,” comments Kaspersky senior malware analyst Victoria Vlasova.

“That makes malicious injects containing Google Analytics accounts inconspicuous—and easy to overlook. As a rule, administrators should not assume that, just because the third-party resource is legitimate, its presence in the code is okay.”

So far, about two dozen websites were found to be compromised in this way, which included stores in Europe and North and South America.

Kaspersky states that it has informed Google of the problem. Google confirmed that it has ongoing investments in spam detections.

Kaspersky recommends that people and businesses should use a security solution that detects and blocks malicious scripts from running. Alternatively, people can disable Google Analytics in some Safe Browser products.

Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
Check Point a Leader in Firewall Magic Quadrant for 21st Time
It is the 21st time in the company’s history that Check Point has been named a Leader in Gartner’s Magic Quadrant for Enterprise Network Firewalls.More
Story image
Kaspersky unveils two major update to its Transparency Initiative
The company has announced the opening of a new Transparency Center, as well as the ompletion of a widespread transferal of data storage and processing activities to Switzerland.More
Story image
Radware expands DDoS prevention support for AWS
e are pleased to support Radware as they integrate their DefensePro Virtual Appliance for AWS with AWS Gateway Load Balancer,” says AWS spokesman.More
Story image
CyberArk launches Forescout and Phosphorus integration to aid with IoT security
“Through our integration with Forescout and Phosphorus, CyberArk dramatically improves security and compliance, and alleviates the burden on IT and security teams."More
Story image
Trend Micro integrates with AWS Gateway Load Balancer for improved security function
Cloud security firm Trend Micro has announced its hybrid cloud security integration with the newly launched AWS Gateway Load Balancer.More