Moscow-based cybersecurity giant Kaspersky reports in a blog posting today (opens in new tab) (June 22) that online crooks are gathering credit-card information by creating Google Analytics accounts, copying the tracking code of their accounts and then inserting that code into the webpage code of breached online stores.
- Best antivirus: protect yourself from scams with online security
- VPN: add a layer of extra protection thanks to a virtual private network
- Just In: North Korea reportedly plans massive cyberattack
Kaspersky warns that “about two dozen online stores worldwide were compromised using this method”, most of which were in the U.S, Europe and South America.
Web-skimming attacks aren’t exactly new. Crooks often use this method to gain access to the credit-card details of unsuspecting victims, and it’s become more prevalent with the rapid growth of online shopping in recent years.
These attacks are mounted when perpetrators alter the source code of websites, allowing them to collect all the information that a user submits on a site. (In most instances, the website owners and administrators are unaware their sites have been changed.) This data, including payment information, is then forwarded to the culprit.
The crooks have also used domains that masquerade as legitimate services like Google Analytics to make it more difficult for site administrators to notice that their websites are compromised.
Kaspersky said this normally involves deliberate misspellings of the Google Analytics domain (google-analytics.com) such as google-anatytics, google-analytcsapi, google-analytc, google-anaiytlcs and so on.
Using legitimate Google Analytics accounts
But the technique discovered by Kaspersky is new. Instead of faking the Google Analytics domain name, the crooks make sure the stolen data is sent to a legitimate Google Analytics account that has been created by the attacker.
"Once the attackers registered their accounts on Google Analytics, all they had to do was configure the accounts’ tracking parameters to receive a tracking ID,” said Kaspersky.
“They then injected the malicious code along with the tracking ID into the webpage’s source code, allowing them to collect data about visitors and have it sent directly to their Google Analytics accounts.”
Tough times for admins
As a result, it’s not easy for website admins to identify and respond to website compromises.
Kaspersky explained: “For those examining the source code, it just appears as if the page is connected with an official Google Analytics account — a common practice for online stores.”
An anti-debugging method used by the attackers also makes the job of admins and security professionals increasingly difficult, because it presumes that someone is looking for the malicious code and then effectively hides.
Kaspersky said that “if a site administrator reviews the webpage source code using Developer mode, then the malicious code is not executed.”
Victoria Vlasova, senior malware analyst at Kaspersky, said: “This is a technique we have not seen before, and one that is particularly effective. Google Analytics is one of the most popular web analytics services out there.
“The vast majority of developers and users trust it, meaning it’s frequently given permission to collect user data by site administrators. That makes malicious injects containing Google Analytics accounts inconspicuous — and easy to overlook. As a rule, administrators should not assume that, just because the third-party resource is legitimate, its presence in the code is ok.”
Kaspersky recommends that users install a security solution that “can detect and block malicious scripts from being run," which the best antivirus software ought to be able to do.
- Read more: Check out our Antivirus Software Buying Guide (opens in new tab)