[BreachExchange] Web-skimming scam infected e-commerce sites on three continents

Destry Winant destry at riskbasedsecurity.com
Wed Jun 24 10:24:22 EDT 2020


About two dozen e-commerce websites in North America, South America
and Europe were recently “web-skimmed” through a ruse pretending to be
Google Analytics.

Despite differences in merchandise sold, including digital equipment,
cosmetics, food products and spare parts, what the web store victims
had in common was not picking up a purposefully placed typo, such as
with ‘google-anatytics.com,’ which can result in an errant data flow
of payment information, according to a Kaspersky’s blog post.

So while over the past decade and a half Google Analytics has
transformed e-commerce with an essential tool now used by more than 29
million websites to analyze their traffic, it also has created a
hackers’ paradise for exploitation by pretending who they’re not.

“To make the data flow to a third-party resource less visible,
fraudsters often register domains resembling the names of popular web
services,” the blog post said. Typically falling prey to this scheme
are multitude of variations on URLs looking legit, but the study also
found attacks of this kind to sometimes use the authentic Google
Analytics service, which websites “blindly trust” without being as
scrupulous as necessary.

To harvest data about visitors using Google Analytics, websites must
configure the tracking parameters in their account on
analytics.google.com, get the tracking ID (trackingId, a string like
this: UA-XXXX-Y), and insert it into the web pages together with the
tracking code (a special snippet of code). Tracking codes then sending
data about visitors to different Analytics accounts.

Secure List identified several cases where the service was misused
with attackers injecting malicious code into the targets, which
collected all the data entered by users, and then sent it via
Analytics. As a result, the attackers could access the stolen data in
their Google Analytics account.

Unsuspecting administrators typically write *.google-analytics.com
into the Content-Security-Policy header that’s used for listing
resources from which third-party code can be downloaded, allowing the
service to collect data. However, an attack can be implemented without
downloading code from external sources, Kaspersky pointed out.

To head off such attacks, Kaspersky urged security software to detect
malicious scripts used in such attacks as

Furthermore, webmasters shouldn’t install web applications and CMS
components from untrusted sources, keep current all software and patch
reported vulnerabilities, as well as create strong passwords for all
administration accounts. Kaspersky also urged user rights to be
limited and keep track of users with access to service interfaces, as
well as filter user-entered data and query parameters to prevent
third-party code injection. The company recommended ecommerce sites
use PCI DSS-compliant payment gateways.

More information about the BreachExchange mailing list