Cybercriminals using Google Analytics to bypass CSP barrier and steal financial data

News by Rene Millman

Online shops in Europe, US and South America compromised by attack using Google Analtics to bypass CSP - more barries advised.

Hackers have devised a new skimming technique to steal payment card information from victims as the shop online.

According to a blog post by PerimeterX, the attack bypasses a web application’s Content Security Policy (CSP) by using the Google Analytics API. The techniques takes advantage of the web tracking service’s domains being whitelisted in CSP configurations. CSP is used to protect applications against client-side vulnerabilities and Magecart attacks.

In this case, the researchers found “an easy to reproduce vulnerability in the core functionality of CSP when using it for blocking theft of credentials, PII and payment data like credit cards.”

For the web skimming attack to work, hackers use their own Google Analytics tag ID as the CSP “can’t discriminate based on the Tag ID”.

“The source of the problem is that the CSP rule system isn’t granular enough. Recognising and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data (in this case the user’s email address and password),” said PerimeterX's VP of research and development Amir Shaked.

In a blog post by Kaspersky, researchers discovered about two dozen infected sites worldwide. The victims included stores in Europe and North and South America selling digital equipment, cosmetics, food products, spare parts etc.

“What’s more, the attack can be implemented without downloading code from external sources,” said Victoria Vlasova, senior malware analyst at Kaspersky.

Shaked said that a possible solution would come from adaptive URLs, adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts.

“A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement. This will essentially create a client-side WAF that can enforce a policy on where specific data field are allowed to be transmitted,” he added.

“While CSP is a useful tool to have in your web security tool belt, it is not foolproof. In addition to the complexity of managing CSP rules, this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection.”

Jamie Akhtar, CEO and co-founder of CyberSmart, told SC Media UK that there are a few ways organisations can protect themselves against these attacks.

“For example, they can use a tag manager which will hide the UA-XXXXXX Ids. It's also important to have an inventory of all 3rd party code being used to know what data is being accessed. Using any third-party code will come with risks so it's safest to assume any code is vulnerable. There are code protection applications out there so it would be good practice to implement them,” he said.

“Having more barriers to sign in is also a good place to start in protecting yourself. Using two-factor authentication, Google authenticator or enabling more than two devices for protected sign in. You should also ensure your data is encrypted as you share it across platforms."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews