Hackers found web skimming Google Analytics by injecting malicious code
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic, currently as a platform inside the Google Marketing Platform brand. Google launched the service in November 2005 after acquiring Urchin. As of 2019, Google Analytics is the most widely used web analytics service on the web. Google Analytics provides an SDK that allows gathering usage data from iOS and Android app, known as Google Analytics for Mobile Apps.
Google Analytics is used to track website activity such as session duration, pages per session, bounce rate, etc. of individuals using the site, along with the information on the source of the traffic. It can be integrated with Google Ads, with which users can create and review online campaigns by tracking landing page quality and conversions (goals). Goals might include sales, lead generation, viewing a specific page, or downloading a particular file.
Web skimming is a form of internet or carding fraud whereby a payment page on a website is compromised when malware is injected onto the page via compromising a third-party script service in order to steal payment information. A report in 2016 suggested as many as 6,000 e-commerce sites may have been compromised via this class of attack. In 2018, British Airways had 380,000 card details stolen in via this class of attack. A similar attack affected Ticketmaster the same year with 40,000 customers affected by maliciously injected code on payment pages.
Recently researchers at SecurityList, found that attackers have injected malicious code in two dozens of website owners Google Analytics accounts worldwide. The code collected all the data entered by users and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account. The victims included stores in Europe and North and South America selling digital equipment, cosmetics, food products, spare parts, etc.
Security list has also provided screenshots that show how the infection looks, malicious code with the attacker’s tracking code, and tracking ID.
As you can see in the above code attacker tries to hide their malicious activity using a classic anti-debugging technique.
In the above image, the attacker has a scripted code for checking whether Developer mode is enabled in the visitor’s browser.
According to the security list, the attackers left themselves a loophole — the option to monitor the script in Debug mode. If the browser’s local storage (localStorage) contains the value ‘debug_mode’==’11’, the malicious code will spring into life even with the developer tools open and will go as far as to write comments to the console in clumsy English with errors.
After the anti-debugger passes the test, the script collects everything anyone inputs on the site (as well as information about the user who entered the data: IP address, UserAgent, time zone) and the data is encrypted and sent using the Google Analytics Measurement Protocol.
[Image Source: Security List]
This is how the attacker gains data of the websites by injecting malicious code. Google Analytics is a very popular service that is used by 52.9 percent of all websites on the internet, more than 10 times the next most popular analytics option, Yandex Metrics.
How you can avoid this? The owners should install an Internet security service that detects these malicious codes and have strong passwords set to their accounts. Users are also suggested not to install web applications and CMS components from untrusted sources and keep the software updated.
For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here