Recently, researchers at Kaspersky identified several web skimming attacks that abused Google Analytics service to exfiltrate data stolen with an e-skimmer software.
Threat actors exploit the trust in Analytics to bypass Content Security Policy (CSP) using the Analytics API.
Online store web sites use Google’s web analytics service for tracking visitors, for this reason, Google Analytics domains are whitelisted in their CSP configuration.
Kaspersky found about two dozen infected sites worldwide, including e-stores in Europe and North and South America selling digital equipment, cosmetics, food products, spare parts etc.
The attacker could access the stolen data in their Google Analytics account.
Experts reported that the attacker attempts to evade detection using a classic anti-debugging technique, they use code for checking whether Developer mode is enabled in the visitor’s browser. The malicious code is executed only if the result is negative.
The attackers are also able to monitor the script in Debug mode, experts discovered that if the browser’s local storage (localStorage) contains the value ‘debug_mode’==’11’, the malicious code will wake up even with the developer tools open.
Upon bypassing the anti-debugging is passed, the script will collect inputs on the compromised website. Then the script collects data using the Google Analytics Measurement Protocol and sends it back to the attackers by invoking the send event method in the ‘eventAction’ field.
“This leads to an HTTP request being sent to the URL
https[:]//www.google-analytics.com/collect?<parameters>&ea=packed_stolen_data&<parameters>” reads the report published by Kaspersky.
The researchers noticed that the malicious code is inserted into a script on the infected site in “readable” form, while in other cases it can be obfuscated and downloaded from a third-party resource.
“Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users: administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data.” continues the report. “What’s more, the attack can be implemented without downloading code from external sources.”
Kaspersky researchers published indicators of compromise (IoCs) for the attacks they spotted.
Other security teams also detailed this attack technique, including researchers at PerimeterX.
“While CSP is a useful tool to have in your web security tool belt, it is not foolproof. In addition to the complexity of managing CSP rules, this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection.”
(SecurityAffairs – hacking, e-skimmer)