sb-eu logo
Story image

Cybercrims' web skimming strategies taint web analytics platforms

30 Jun 2020

While cybercriminals commonly use web skimming to steal people’s credit card details and personal information directly off online stores’ checkout pages, it is not often those attacks go as far as using legitimate web analytics platforms like Google Analytics. However, researchers from Kaspersky have found that some cybercriminals are doing exactly that. 

Normally, web skimming injects malicious code into a website’s source code. That code then captures personal information like logins and credit card numbers, and sends it directly to an address specified by the perpetrators.

Criminals will often ‘fake’ domains that look like genuine web analytics services, like googlc.analytics[.]com, so that site administrators who aren’t looking too closely would be fooled.

However, researchers say that criminals are now trying something different.

“Rather than redirecting the data to third-party sources, they redirected it to official Google Analytics accounts. Once the attackers registered their accounts on Google Analytics, all they had to do was configure the accounts’ tracking parameters to receive a tracking ID. They then injected the malicious code along with the tracking ID into the webpage’s source code, allowing them to collect data about visitors and have it sent directly to their Google Analytics accounts,” the researchers explain.

This time it is even more difficult for site administrators to detect trickery because the information is going to a genuine analytics account.

Additionally, criminals use an anti-debugging technique that hides the malicious code if site administrators look at the source code in developer mode.

“This is a technique we have not seen before, and one that is particularly effective. Google Analytics is one of the most popular web analytics services out there. The vast majority of developers and users trust it, meaning it’s frequently given permission to collect user data by site administrators,” comments Kaspersky senior malware analyst Victoria Vlasova.

“That makes malicious injects containing Google Analytics accounts inconspicuous—and easy to overlook. As a rule, administrators should not assume that, just because the third-party resource is legitimate, its presence in the code is okay.”

So far, about two dozen websites were found to be compromised in this way, which included stores in Europe and North and South America.

Kaspersky states that it has informed Google of the problem. Google confirmed that it has ongoing investments in spam detections.

Kaspersky recommends that people and businesses should use a security solution that detects and blocks malicious scripts from running. Alternatively, people can disable Google Analytics in some Safe Browser products.

Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
Cryptomining trojan malware discovered by ESET researchers
The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.More
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Ripple20 threat could affect 35% of all IT environments – ExtraHop
The vulnerabilities have the potential to ‘ripple’ through complex software supply chains, enabling attackers to steal data or execute code.More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More