Hackers steal credit cards using Google Analytics to Bypass  CSP

5 111

Hackers are using Google Analytics tool to retrieved credit card data submitted by customers of eCommerce web sites. This isn't shocking news at all, you know in the previous year's hackers are known to be using google search engine to find credit card information of online store using the method known has 'google dorks' . Of which google dork have it way around the web from 2003-2018 before it was patch .

According to a blog post by PerimeterX, The attack avoids the Content Security Policy (CSP) application of the web app using the Google Analytics API. The strategies are used because of CSP settings of the internet monitoring service's domains. CSP is used to eliminate client-side bugs and Magecart threats from applications.

Researchers found the weakness can be easily replicated in CSP's core features if using CSP to block credential theft, PII and payment card data. They also found millions on infected eCommerce store worldwide

However, the hacker can be carried out without the need to download source code, "Victoria Vlasova, Kaspersky 's senior malware researcher, stated.

Alternatively, Google Analytics scripts are likely to be supporting hackers because they can use them to steal data rather than blocking injector attacks. These is done via a Web skimmer script specially designed for encoding confidential information and for delivering them in encrypted form to the attacker's GA dashboard.

"The attackers only have to use their own Tag ID owner of the UA-#######-# form as "the CSP policy can’t discriminate based on the Tag ID" for their scripts to be able to abuse GA for sending harvested info such as credentials, credit card data, and more."

Researchers says that you need "requires advanced visibility solutions" to identify and block scripts designed to use this flaw. Researchers used GA the most popular third-party application, which is an example of an intruder using CSP whitelists.

After the skimmer is loaded, this will track and collect every bank details entered and encode the affected site and then automatically send it over to the google analytics dashboard of the Attacker. 

 Hackers will then decrypt compromised bank details from their free Google analytics tool via an XOR encryption algorithm. If the infected online store customers opened Developer Tools on their browsers, they will get flagged and the eskimmer disabled immediately. CSP has been developed to restrict unauthenticated code execution. Yet like everyone trusts Google almost all the time, By default, everything is permitted.

7
$ 0.01
$ 0.01 from @Dangerous_Fly
Sponsors of Secure
empty
empty
empty

Comments

I edge reas.cash to do the same fix because they may be next inline CSP Bypass
have a talk with your security personal & try and block it issue from every happen

$ 0.00
4 years ago

Those hacks are scary. It happens to blockchain as well but I hope blockchain developers will be able to solve this problem.

$ 0.00
4 years ago

the world itself seems like a mess and the hacker are making it more difficult

$ 0.00
4 years ago

Right. We need more people to fight this kind of activity.

$ 0.00
4 years ago

Wow

$ 0.00
User's avatar Pah
4 years ago