How scammers clone credit & debit cards using Google Analytics

Logical security specialists have detected a skimming operation that runs entirely on Google’s servers. This malware sends the compromised payment cards directly to Google Analytics, completely bypassing security controls such as Content Security Policy (CSP).

This investigation was carried out by a team of experts from the firm Sansec. A full sample of the malware code is available here.

SOURCE: Sansec

Usually a digital skimmer (also known as Magecart) runs on unreliable servers in tax havens, making it very easy to deduce your malicious intentions from your location. However, when a skimming campaign runs on trusted servers (such as those of Google), it is highly likely that security controls will be able to detect anomalous behavior; in addition, other security mechanisms, such as CSP, would also be of little use in preventing these attacks.   

From the incidents analyzed, the researchers concluded that dozens of e-commerce sites were committed to injecting a code running on Google’s open storage platform; the URL of this loader is designed similarly to the target store URL:

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es sansec01.jpg
SOURCE: Sansec

This loader has several layers of obfuscation. First, create a temporary iFrame that loads a Google Analytics account under the attacker’s control:

SOURCE: Sansec

Then look at the form entry. When a victim enters their credit card details, is encrypted and then sent as a custom Google Analytics event, logical security experts mention.

SOURCE: Sansec

Finally, threat actors can extract payment card data from the Google Analytics dashboard, using the encryption key (XOR) c879f68417529b0c3851a7e336089fcb2c116b8d.

Other risk indicators include:

  • The creators of the malware did not take the time to delete their notes in poor English 
  • Malware includes a debug/test installation, which can be enabled by adding debug_mode s 11 to local storage
SOURCE: Sansec

This is a really serious problem that exposes millions of online sellers to steal information from their users’ payment card. According to logical security specialists, the most important thing is to prevent unauthorized access to your code base (which is the cause of most security incidents). Researchers also recommend using sophisticated security tools, such as malware scanners and vulnerabilities for e-commerce sites.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.