sb-nz logo
Story image

Cybercrims' web skimming strategies taint web analytics platforms

30 Jun 2020

While cybercriminals commonly use web skimming to steal people’s credit card details and personal information directly off online stores’ checkout pages, it is not often those attacks go as far as using legitimate web analytics platforms like Google Analytics. However, researchers from Kaspersky have found that some cybercriminals are doing exactly that. 

Normally, web skimming injects malicious code into a website’s source code. That code then captures personal information like logins and credit card numbers, and sends it directly to an address specified by the perpetrators.

Criminals will often ‘fake’ domains that look like genuine web analytics services, like googlc.analytics[.]com, so that site administrators who aren’t looking too closely would be fooled.

However, researchers say that criminals are now trying something different.

“Rather than redirecting the data to third-party sources, they redirected it to official Google Analytics accounts. Once the attackers registered their accounts on Google Analytics, all they had to do was configure the accounts’ tracking parameters to receive a tracking ID. They then injected the malicious code along with the tracking ID into the webpage’s source code, allowing them to collect data about visitors and have it sent directly to their Google Analytics accounts,” the researchers explain.

This time it is even more difficult for site administrators to detect trickery because the information is going to a genuine analytics account.

Additionally, criminals use an anti-debugging technique that hides the malicious code if site administrators look at the source code in developer mode.

“This is a technique we have not seen before, and one that is particularly effective. Google Analytics is one of the most popular web analytics services out there. The vast majority of developers and users trust it, meaning it’s frequently given permission to collect user data by site administrators,” comments Kaspersky senior malware analyst Victoria Vlasova.

“That makes malicious injects containing Google Analytics accounts inconspicuous—and easy to overlook. As a rule, administrators should not assume that, just because the third-party resource is legitimate, its presence in the code is okay.”

So far, about two dozen websites were found to be compromised in this way, which included stores in Europe and North and South America.

Kaspersky states that it has informed Google of the problem. Google confirmed that it has ongoing investments in spam detections.

Kaspersky recommends that people and businesses should use a security solution that detects and blocks malicious scripts from running. Alternatively, people can disable Google Analytics in some Safe Browser products.

Story image
How to address cyber-threats as a strategic risk
Becoming a cyber-secure organisation in the face of an evolving threat landscape requires a strategic, business-focused approach to security as opposed to a tactical approach in which security is addressed simply by implementing new tools.More
Story image
Video: 10 Minute IT Jams - SonicWall VP discusses the importance of endpoint security
In this video, Dmitriy discusses the exposure points and new risks that come as a result of widespread flexible working arrangements, how organisations should secure their massively distributed networks, and how SonicWall's Boundless Cybersecurity model can solve these issues.More
Story image
Revealed: Imperva publishes research on decade old botnet, responsible for millions of attacks
Imperva Research Labs has revealed findings of a six-month intensive investigation into a botnet that has been exploiting CMS vulnerabilities.More
Story image
IDC’s 10 IT trends for 2021 and beyond
65% of global GDP will be digitalised by 2022, driving $6.8 trillion of IT spending from 2020 to 2023.More
Story image
Gigamon and Zscaler release cloud-first network detection for fluid workforces
“Our customers have significantly accelerated their digital transformation journeys during the pandemic, and this integration will help them better respond to threats.”More
Story image
The three-pronged security approach that confronts security breaches head-on
Having these three processes working in tandem is key to cushioning the blow of a breach - which, if insufficiently protected, can take on average 279 days to contain and costs an average of almost US$4 million.More