sb-eu logo
Story image

Cybercrims' web skimming strategies taint web analytics platforms

30 Jun 2020

While cybercriminals commonly use web skimming to steal people’s credit card details and personal information directly off online stores’ checkout pages, it is not often those attacks go as far as using legitimate web analytics platforms like Google Analytics. However, researchers from Kaspersky have found that some cybercriminals are doing exactly that. 

Normally, web skimming injects malicious code into a website’s source code. That code then captures personal information like logins and credit card numbers, and sends it directly to an address specified by the perpetrators.

Criminals will often ‘fake’ domains that look like genuine web analytics services, like googlc.analytics[.]com, so that site administrators who aren’t looking too closely would be fooled.

However, researchers say that criminals are now trying something different.

“Rather than redirecting the data to third-party sources, they redirected it to official Google Analytics accounts. Once the attackers registered their accounts on Google Analytics, all they had to do was configure the accounts’ tracking parameters to receive a tracking ID. They then injected the malicious code along with the tracking ID into the webpage’s source code, allowing them to collect data about visitors and have it sent directly to their Google Analytics accounts,” the researchers explain.

This time it is even more difficult for site administrators to detect trickery because the information is going to a genuine analytics account.

Additionally, criminals use an anti-debugging technique that hides the malicious code if site administrators look at the source code in developer mode.

“This is a technique we have not seen before, and one that is particularly effective. Google Analytics is one of the most popular web analytics services out there. The vast majority of developers and users trust it, meaning it’s frequently given permission to collect user data by site administrators,” comments Kaspersky senior malware analyst Victoria Vlasova.

“That makes malicious injects containing Google Analytics accounts inconspicuous—and easy to overlook. As a rule, administrators should not assume that, just because the third-party resource is legitimate, its presence in the code is okay.”

So far, about two dozen websites were found to be compromised in this way, which included stores in Europe and North and South America.

Kaspersky states that it has informed Google of the problem. Google confirmed that it has ongoing investments in spam detections.

Kaspersky recommends that people and businesses should use a security solution that detects and blocks malicious scripts from running. Alternatively, people can disable Google Analytics in some Safe Browser products.