Credit card details of shoppers have been under threat for quite some time now. However, the threat just got bigger with hackers using a unique technique for the purpose.
Attackers are exploiting the Google App Script domain—script.google.com—to evade Content Security Policy (CSP) controls and malware scan engines. This is a particularly intriguing technique since Google’s App Script domain is trusted by e-commerce stores and thus, all the Google subdomains would get whitelisted on the sites.
What does this imply?
This is not the first time that this platform has been abused. This technique was used in 2017 by the FIN7 threat actor, along with Google Sheets and Google Forms. With the re-emergence of this technique, we observe the emergence of a new threat that indicates that protecting online stores from untrusted domains is simply not enough anymore.
Google Analytics being exploited
Magecart attacks are abusing the Google Analytics platform to steal payment credentials from dozens of web stores. Why is it crucial? Because exploiting Google Analytics API allows hackers to sidestep CSP. Hence, instead of blocking injection-based attacks, Google Analytics scripts enable threat actors to steal and exfiltrate information.
The bottom line
CSP was created to limit the implementation of untrusted code. However, because of the trust factor of Google, the model is now flawed. Thus, it is imperative that online store owners ensure that hackers cannot inject unauthorized code. Moreover, vulnerability and server-side malware scanning should be conducted.