Hackers are using Google’s servers and the Google Analytics platform in order to steal credit card information submitted by online store customers.
A new technique to bypass Content Security Policy (CSP) using the Google Analytics API has already been deployed in ongoing Magecart attacks designed to steal credit card data from numerous e-commerce sites.
This new method makes use of the fact that e-commerce web sites using Google’s web analytics service for tracking visitors are whitelisting Google Analytics domains in their CSP configuration which is a security standard used to block the execution of untrusted code on web apps.
According to a new research from web security companies Sansec and PerimeterX, using CSP to prevent credit card skimming attacks is senseless on sites that also deploy Google Analytics (GA) as threat actors can use it to exfiltrate harvested data to their own accounts.
Using Google Analytics to bypass CSP
PerimeterX found and demonstrated an easy to reproduce vulnerability in the core functionality of CSP when using it for blocking theft of credentials, PII and payment data like credit cards.
Google Analytics scripts are used by the attackers instead of blocking injection-based attacks to steal data. This is done through a web skimmer script that is designed to encode stolen data and deliver it to the attacker’s GA dashboard in an encrypted form.
The attackers can use their own Tag ID owner of the UA-#######-# form as the CSP policy can’t discriminate based on the Tag ID for their scripts to be able to abuse GA for sending harvested info such as credentials, credit card data etc.
Identifying and blocking scripts that are used to abuse this flaw needs advanced visibility solutions that can detect the access and exfiltration of sensitive user data.
PerimeterX’s VP of research Amir Shaked explained it by using GA as an example of attackers using hosts whitelisted in CSP as it is the most commonly whitelisted third-party service in CSP configs.
Out of the top 3 million Internet domains, only 210,000 are using CSP according to statistics from PerimeterX based on an HTTPArchive scan from March 2020. 17,000 of the websites reachable via those domains are whitelisting the google-analytics.com.
Over 29 million websites are currently using Google’s GA web analytics services.
Sansec’s Threat Research Team revealed that it was tracking a Magecart campaign since March 17, and the attackers were misusing this issue to bypass CSP on various e-commerce sites using Google Analytics.
The threat actors performed all the campaign components using Google servers, as they delivered the credit card web skimmer to their targets’ sites via Google’s open storage platform firebasestorage.googleapis.com.
Usually a Magecart runs on dodgy servers in tax havens, and its location reveals its evil purpose. But when a skimming campaign runs entirely on trusted Google servers, only few security systems will flag it as ‘suspicious’. Also, countermeasures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google.
The loader used by the hacker to inject their web skimmer has several layers of obfuscation and it is used to load an attacker-controlled GA account within a temporary iFrame.
The skimmer will then monitor the compromised site for user input and it will collect any credit card details entered, encrypt it, and automatically deliver it to its masters’ GA dashboard.
The attackers then collect the stolen credit card data from their free Google Analytics dashboard and decrypt it using an XOR encryption key.
If the affected online store’s customers open their browsers’ Developer Tools, they will get flagged and the skimmer would automatically disable.
So, CSP is far from a foolproof against injection-based web app attacks such as Magecart if attackers find a way to take advantage of an already allowed domain/service to exfiltrate information.