Fake Google analytics and Angular scripts leveraged to compromise Magneto sites and steal credit card details

• The scripts have been created with an intent to steal credit card details from checkout pages of Magento-based online shops.
• According to PublicWWW, around 40 sites have been found containing fake Angular scripts.

Attackers have come up with a new way to steal credit card details from Magneto-based online sites. Lately, they are injecting fake Google Analytics and Angular scripts into legitimate JS files to make them less suspicious and evade detection by website owners.

How it works - A malicious code is injected into the real JS files such as skin/frontend/default/theme122k/js/jquery.jscrollpane.min.js, js/meigee/jquery.min.js, and js/varien/js.js. The malicious code injected loads another script from www[.]google-analytics[.]cm/analytics[.]js. To a naked eye, the script will look very similar to the real Google Analytics location - www[.[google-analytics[.[com/analytics[.[js. However, a close look at it shows that the fake script uses .cm top-level domain instead of .com.

The script has been created with an intent to steal credit card details from checkout pages of Magneto-based online shops.

Fake Angular script is also used - On some sites, attackers had injected fake Angular scripts that looked legitimate Angular code. The fake code contains many keywords that look relevant to the popular JavaScript framework, such as Angular.io, algularToken, angularCdn, and angularPages.

“However, a more thorough analysis shows that angularCdn is an encrypted URL, alglularToken (note the typo) is a decryption key, and the rest of the code are functions that decode the URL and dynamically load a script from it,” added the Denis Sinegubko, a researcher from Sucuri in a blog post.

How many sites are infected - According to PublicWWW, around 40 sites have been found containing fake Angular scripts. In most case, they are not formatted and occupy a single line of code.

“Each site has its own version of the script, with different decryption keys and encoded URLs. It’s worth mentioning that the majority of these <script> tags have various misleading references to google/analytics/magento/conversions,” explained the researchers.