Google Analytics as a data exfiltration channel

Our experts uncovered a scheme to extract cardholder data using Google tools.

Web skimming, a fairly common method of getting cardholder data from visitors of online stores, is a time-honored cybercriminal practice. Recently, however, our experts discovered a rather dangerous innovation involving the use of Google Analytics to exfiltrate stolen data. Let’s explore why this is dangerous and how to deal with it.

How Web skimming works

The basic idea is that attackers inject malicious code into pages on the target website. How they do it is a separate topic. Sometimes they brute-force (or steal) an administrator account password; sometimes they exploit vulnerabilities in the content management system (CMS) or in one of its third-party plugins; sometimes they deliver the injection through an incorrectly coded input form.

The injected code logs all user actions (including entered bank card data) and transfers everything to its owner. Hence, in the vast majority of cases, Web skimming is a type of cross-site scripting.

Why Google Analytics

Data collection is only half the job. Malware still needs to send the gathered information to the attacker. However, Web skimming has been around for years, so industry developed mechanisms for fighting back. One method involves using a Content Security Policy (CSP) — a technical header that lists all services with the right to collect information on a particular site or page. If the service used by the cybercriminals is not listed in the header, the malefactors will not be able to withdraw any information they harvest. In the light of such protective measures, some schemers came up with the idea of using Google Analytics.

Today, almost every website carefully monitors visitor statistics. Online stores do it as a matter of course. The most convenient tool for this purpose is Google Analytics. The service allows data collection based on many parameters, and currently approximately 29 million sites use it. The likelihood that data transfer to Google Analytics is allowed in the CSP header of an online store is extremely high.

To collect website statistics, all you have to do is configure tracking parameters and add a tracking code to your pages. As far as the service is concerned, if you are able to add this code, you are the legitimate owner of the site. So the attackers’ malicious script collects user data, and then, using their own tracking code, sends it through the Google Analytics Measurement Protocol, directly to their account. Securelist’s post has more details on the attack mechanism and indicators of compromise.

What to do

The primary victims of the scheme are users who enter banking card data online. But for the most part, the problem needs to be tackled from the side of the companies that support websites with payment forms. To preclude user data leakage from your site, we recommend:

  • Regularly updating all software, including Web applications (the CMS and all of its plugins),
  • Installing CMS components from trusted sources only,
  • Adopting a strict CMS access policy that restricts user rights to the minimum necessary and mandates the use of strong and unique passwords,
  • Conducting periodic security audits of the site with the payment form.

As for users — the potential direct victims of this scheme — the advice is simple: Use reliable security software. Kaspersky solutions for both home users and SMBs detect malicious scripts on payment sites thanks to our Safe Money technology.