Are you a regular customer of eBay, Amazon, and other e-commerce websites? If your answer is yes, read along to know how hackers can steal sneakily siphon off your card details using Google Analytics.
What’s going on?
Hackers are leveraging Google’s servers and Google Analytics platform to steal credit card information. This is a new tactic used to bypass Content Security Policy (CSP) using the Google Analytics API. There are Magecart attacks ongoing that utilize this tactic to scrape credit card info from e-commerce sites.
How does this work?
- Threat actors can use Google Analytics scripts to steal data. They use a web skimmer script that is designed to encode and encrypt stolen data and send it to the actor’s Google Analytics dashboard.
- The attackers use their own Tag ID owner of the UA-#######-# form since CSP does not discriminate based on Tag ID. The root of the issue lies in the non-granular structure of the CSP rule system.
Important stats about Google Analytics
- Only 210,000 web domains out of the top 3 million are using CSP to protect user data on their sites. Moreover, 17,000 sites reachable via these top domains have whitelisted google-analytics.com.
- Over 29 million websites are reportedly using Google Analytics services, whereas Yandex Metrika and Baidu Analytics are used on 2 million and 7 million sites, respectively.
What are the experts saying?
- Willem de Groot stated, “CSP was invented to limit the execution of untrusted code. But since pretty much everybody trusts Google, the model is flawed.”
- Experts suggest that a potential solution for this would come from adaptive URLs that would add ID as a part of the URL.
The bottom line is that CSP cannot ensure website security if hackers find clever ways to bypass it. Since domains like Google Analytics are trusted by default, it creates a vulnerable situation for most popular websites using it.