Hackers are using Google Analytics tool to retrieved credit card data submitted by customers of eCommerce web sites. This isn't shocking news at all, you know in the previous year's hackers are known to be using google search engine to find credit card information of online store using the method known has 'google dorks' . Of which google dork have it way around the web from 2003-2018 before it was patch .
According to a blog post by PerimeterX, The attack avoids the Content Security Policy (CSP) application of the web app using the Google Analytics API. The strategies are used because of CSP settings of the internet monitoring service's domains. CSP is used to eliminate client-side bugs and Magecart threats from applications.
Researchers found the weakness can be easily replicated in CSP's core features if using CSP to block credential theft, PII and payment card data. They also found millions on infected eCommerce store worldwide
However, the hacker can be carried out without the need to download source code, "Victoria Vlasova, Kaspersky 's senior malware researcher, stated.
Alternatively, Google Analytics scripts are likely to be supporting hackers because they can use them to steal data rather than blocking injector attacks. These is done via a Web skimmer script specially designed for encoding confidential information and for delivering them in encrypted form to the attacker's GA dashboard.
"The attackers only have to use their own Tag ID owner of the UA-#######-# form as "the CSP policy can’t discriminate based on the Tag ID" for their scripts to be able to abuse GA for sending harvested info such as credentials, credit card data, and more."Researchers says that you need "requires advanced visibility solutions" to identify and block scripts designed to use this flaw. Researchers used GA the most popular third-party application, which is an example of an intruder using CSP whitelists.
After the skimmer is loaded, this will track and collect every bank details entered and encode the affected site and then automatically send it over to the google analytics dashboard of the Attacker.
Hackers will then decrypt compromised bank details from their free Google analytics tool via an XOR encryption algorithm. If the infected online store customers opened Developer Tools on their browsers, they will get flagged and the eskimmer disabled immediately. CSP has been developed to restrict unauthenticated code execution. Yet like everyone trusts Google almost all the time, By default, everything is permitted.
I edge reas.cash to do the same fix because they may be next inline CSP Bypass
have a talk with your security personal & try and block it issue from every happen