التكنولوجيا وأخبارها بوابة الإمارات لتكنولوجيا المعلومات والإتصالات
Attackers have found a new way to steal online shoppers’ payment details using a popular web analytics service
Kaspersky researchers have uncovered a new technique for
stealing users’ payment information on online shopping
websites—a type of attack known as web skimming. By
registering for Google Analytics accounts and injecting
these accounts’ tracking code into the websites’ source
code, attackers can collect users’ credit card details. About
two dozen online stores worldwide were compromised
using this method.
Web skimming is a popular practice used by attackers to
steal users’ credit card details from the payment pages of
online stores, whereby attackers inject pieces of code into
the source code of the website. This malicious code then
collects the data inputted by visitors to the site (i.e.
payment account logins or credit card numbers) and sends
the harvested data to the address specified by attackers in
the malicious code. Often, to conceal the fact that the
webpage has been compromised, attackers register
domains with names that resemble popular web analytics
services, such as Google Analytics. That way, when they
inject the malicious code, it’s harder for the site
administrator to know that the site has been compromised.
For example, a site named “googlc-analytics[.]com” is easy
to mistake as a legitimate domain.
Recently, however, Kaspersky researchers have discovered
a previously unknown technique for conducting web
skimming attacks. Rather than redirecting the data to
third-party sources, they redirected it to official Google
Analytics accounts. Once the attackers registered their
accounts on Google Analytics, all they had to do was
configure the accounts’ tracking parameters to receive a
tracking ID. They then injected the malicious code along
with the tracking ID into the webpage’s source code,
allowing them to collect data about visitors and have it sent
directly to their Google Analytics accounts.
Because the data isn’t being directed to an unknown third-
party resource, it’s difficult for administrators to realize the
site has been compromised. For those examining the source
code, it just appears as if the page is connected with an
official Google Analytics account—a common practice for
online stores.
To make the malicious activity even harder to spot, the
attackers also employed a common anti-debugging
technique: if a site administrator reviews the webpage
source code using Developer mode, then the malicious code
is not executed.
