Hackers Use Popular Web Analytics Tool to Steal Online Shoppers’ Payment Information

News and Analysis

Threat actors are now targeting Google Analytics service to harvest data entered by users. As the victims are generally Europe and Americas-based online stores selling cosmetics, food products, digital equipment, and spare parts, the stolen information includes their shoppers’ credit card details.

To perform an attack, evildoers inject malicious code into web sites of their interest, which then harvests all the data entered by visitors and sends it through Google Analytics to hackers’ Analytics accounts. According to a dedicated report by cybersecurity firm Kaspersky, there are around two dozen infected sites globally.

Collecting Everything Anyone Enters

“To make the data flow to a third-party resource less visible, fraudsters often register domains resembling the names of popular web services, and in particular, Google Analytics (google-anatytics[.]com, google-analytcsapi[.]com, google-analytc[.]com, google-anaiytlcs[.]com, google-analytics[.]top, google-analytics[.]cm, google-analytics[.]to, google-analytics-js[.]com, googlc-analytics[.]com, etc.). But attacks of this kind were also found to sometimes use the authentic service,” the report further explains.

To disguise their malicious activity, cybercriminals are using an anti-debugging technique. They also leave themselves a loophole to monitor the script in Debug mode.

“If the anti-debugging is passed, the script collects everything anyone inputs on the site (as well as information about the user who entered the data: IP address, UserAgent, time zone). The collected data is encrypted and sent using the Google Analytics Measurement Protocol,” the Kaspersky report reads.

The names of the affected online stores have not been disclosed yet, though.

Google Services Hit by Cyber Attacks

Google-related fraudulent activities have increased in number over the past months. As of May, Google’s Chrome Web Store was reportedly hit with the most massive surveillance campaign so far, which managed to steal data from users around the world through over 32 million downloads of malicious extensions.

Once downloaded, those extensions can collect credential tokens stored in cookies or parameters, passwords, take screenshots, and read the clipboard.

Also last month, cybersecurity researchers detected a modified version of ComRAT malware, which now targets Gmail users to steal confidential documents. In addition to misappropriation of documents, the trojan collects information about the network, Microsoft Windows configurations, and the Archive Directory groups or users.

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter


Related posts

Tags: , ,