Kaspersky researchers
have uncovered a new technique for stealing users' payment information on
ecommerce websites, a type of attack known as web skimming. By registering for
Google Analytics accounts and injecting tracking codes into the websites'
source code, attackers can collect shoppers' credit card details. About two
dozen online stores worldwide were compromised using this method.
Web
skimming is a popular practice used by
attackers to steal users' credit card information from the payment pages of
online stores, whereby attackers inject pieces of code into the source code of
the website. This malicious code then collects the data inputted by visitors to
the site, including account logins and credit card numbers, and sends the
harvested data to the address specified by attackers in the malicious code.
Often, to conceal the fact that the webpage has been compromised, attackers
register domains with names that resemble popular web analytics services, such
as Google Analytics. That way, when they inject the malicious code, it's harder
for the site administrator to know that the site has been compromised. For
example, a site named "googlc-analytics[.]com" is easy to mistake as a
legitimate domain.
Recently, however, Kaspersky
researchers have discovered a previously unknown technique for conducting web
skimming attacks. Rather than redirecting the data to third-party sources, they
redirected it to official Google Analytics accounts. Once the attackers
registered their accounts on Google Analytics, all they had to do was configure
the accounts' tracking parameters to receive a tracking ID. They then injected
the malicious code, along with the tracking ID, into the webpage's source code,
allowing them to collect data about visitors and have it sent directly to their
Google Analytics accounts.
Since the data isn't being
directed to an unknown third-party resource, it's difficult for administrators
to realize the site has been compromised. For those examining the source code,
it just appears as if the page is connected with an official Google Analytics
account, which is a common practice for online stores.
To make the malicious activity
even harder to spot, the attackers also employed a common anti-debugging
technique: if a site administrator reviews the webpage source code using
Developer mode, then the malicious code is not executed.
About two dozen websites were
found to be compromised in this way, which included stores in Europe and North
and South America.
"This is a technique we have not
seen before, and one that is particularly effective," said Victoria Vlasova,
Senior Malware Analyst at Kaspersky. "Google Analytics is one of the most
popular web analytics services out there. The vast majority of developers and
users trust it, meaning it's frequently given permission to collect user data
by site administrators. That makes malicious injects containing Google
Analytics accounts inconspicuous and easy to overlook. As a rule,
administrators should not assume that, just because the third-party resource is
legitimate, its presence in the code is OK."
Read more about this new
technique for web skimming on Securelist.
To stay safe from web skimming, Kaspersky experts recommend
using a reliable security solution like Kaspersky Security Cloud, which can detect and block malicious scripts from being run or disable
Google Analytics altogether using Safe Brower feature.