Friday, 26 June 2020 11:30

Crooks abuse Google Analytics to conceal theft of payment card data

Written by

(original article)

Ecommerce site’s “blind trust” makes the service a perfect place to dump data.

Hackers are abusing Google Analytics so that they can more covertly siphon stolen credit card data out of infected ecommerce sites, researchers reported on Monday.

Payment card skimming used to refer solely to the practice of infecting point-of-sale machines in brick-and-mortar stores. The malware would extract credit card numbers and other data. Attackers would then use or sell the stolen information so it could be used in payment card fraud.

More recently, these sorts of attacks have expanded to use against ecommerce sites after hackers have compromised them. Hackers use the control they gain to install unauthorized code that runs deep inside the back-end system that receives and processes payment card data during an online transaction. The malicious code then copies the data.

Under the radar

One challenge in pulling off the hack is bypassing website security policies or concealing the exfiltration of massive amounts of sensitive data from endpoint security applications installed on the infected network. Researchers from Kaspersky Lab on Monday said that they have recently observed about two dozen infected sites that found a novel way to achieve this. Instead of sending it to attacker-controlled servers, the attackers send it to Google Analytics accounts they control. Since the Google service is so widely used, ecommerce site security policies generally fully trust it to receive data.

“Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users,” Kaspersky Lab researcher Victoria Vlasova wrote here. “Administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources.”

The researcher added: “To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on analytics.google.com, get the tracking ID (trackingId, a string like this: UA-XXXX-Y), and insert it into the web pages together with the tracking code (a special snippet of code). Several tracking codes can rub shoulders on one site, sending data about visitors to different Analytics accounts.”

The “UA-XXXX-Y” refers to the tracking ID that Google Analytics uses to tell one account from another. As demonstrated in the following screenshot, showing malicious code on an infected site, the IDs (underlined) can easily blend in with legitimate code.

In a statement issued several hours after this post went live, a Google spokesman wrote: “We were recently notified of this activity and immediately suspended the offending accounts for violating our terms of service. When we find unauthorized use of Google Analytics, we take action.”

The attackers use other techniques to remain stealthy. In some cases, the data siphoning is canceled if the person entering the payment card data has the developer mode of their browser turned on. Because security researchers often used developer mode to detect such attacks, the hackers forgo the data theft in these cases. In other cases, the attackers use program debugging methods to conceal the malicious activity.

Payment card skimming on websites has remained a problem, particularly for people shopping with smaller online merchants who don’t pay enough attention to securing their systems. There are some notable exceptions, but generally larger sites are less prone to these sorts of hacks.

In most if not all cases, it’s impossible for end users to detect credit card skimming with the naked eye. Most antivirus products, however, will catch all or most such attacks. Making online purchases with developer mode turned on can’t hurt and can help in many cases. Other than that, the best defense is to regularly and carefully scrutinize statements for unauthorized purchases and charges.

Updated to add comment from Google

Last modified on Thursday, 21 April 2022 17:19

Latest Comments

Got a similar email that seemed suspicious. Ignored it and they even followed up today.
My organization received one of these emails from "Linda," but uses https://www.bestprosintown.com/p...
Angela Snowman posted a comment in Link Building SEO Directory Scam Alert: loc8nearme.com
Hi Nate, I got the same email template from the same email address today and found you through a ...
Just received one today (16 Aug 2022) from "Mailchimp". Thanks for sharing!
Thanks for posting this. I just got one today. I was 99% sure it was a scam, and your post confirmed...


Design & Development

Wordpress, Drupal, Joomla
New custom websites
Bespoke themes and extensions
Redesigns, upgrades, migrations

Web Design & Development


Optimization & SEO

Let us optimize and manage your overall online presence. We offer full service monthly SEO as well as one-time projects.  

Optimization Plans & Pricing


Maintenance, Patching

White glove monthly backups, security updates, maintenance and testing for your Wordpress, Drupal, or Joomla site.

Maintenance Plans & Pricing


Email Newsletter

Bring your web & marketing performance to the next level: monthly blog post roundup via email.  

Stay in Touch!