Kaspersky’s researchers have discovered a new technique used to steal the payment information of users visiting shopping websites, a type of attack known as “web skimming”.
The discovery of Kaspersky’s researchers
Web skimming is a popular technique used by cybercriminals to steal credit card data from users visiting online stores. It employs “code injection”: that is, adding new pieces of code in the website’s source code. This malicious code gathers the data inputted by the users (for example login credentials used for payment or credit card numbers) and sends this same data to an address indicated by the attackers within the malicious code.
Usually, in order to hide the fact that the webpage has been compromised, cybercriminals register domains with names that resemble those of popular web analytics services. Like, for example, Google Analytics. This way, when they proceed to inject the malicious code, it’s difficult for the web administrator to know that the site has been compromised. A website named “googlc-analytics[.]com”, for example, is easy to mistake for the real one.
An unknown technique
Recently Kaspersky’s researchers have discovered a previously unknown technique to conduct “web skimming” attacks. Instead of redirecting the data to third parties, the cybercriminals have created a system to redirect it towards official Google Analytics accounts. After having registered an account on Google’s web analytics service, all the cybercriminals need to do is configure their tracking parameters to receive a tracking ID. Then they inject the malicious code in the website along with the tracking ID in the webpage’s source code. Finding a way to gather data from visitors and send it directly to their Google Analytics account.
Since the data is not redirected to an unknown third party, it’s hard for the website administrators to realize that the site has been compromised. Examining the code only makes it seem like the page is connecting to an official Google Analytics account. A common practice for an online store.
To make the malicious activities harder to identify, cybercriminals have employed another, more common tactic, called “anti-debugging”. If a website administrator tries to examine the source code using Developer mode, the malicious code is not executed.
More than twenty websites have been compromised thanks to this method, including online stores in North and South America and Europe.
Victoria Vlasova’s words
“This is a technique we have not seen before, and one that is particularly effective. Google Analytics is one of the most popular web analytics services out there. The vast majority of developers and users trust it, meaning it’s frequently given permission to collect user data by site administrators. That makes malicious injects containing Google Analytics accounts inconspicuous—and easy to overlook. As a rule, administrators should not assume that, just because the third-party resource is legitimate, its presence in the code is ok”, – comments Victoria Vlasova, Senior Malware Analyst at Kaspersky.
Kaspersky has notified the problem to Google, which has confirmed that it is constantly engaged in the development of spam detection technologies.
Further information of this new “web skimming” technique is available online on Securelist.
Lastly, to avoid any problem related to “web skimming” and to be protected online, Kasperky’s experts advise the users to use a trustworthy safety measure such as Kasperky Security Cloud, that is able to recognize and block malicious code from executing or to completely deactivate Google Analytivs using the Safe Browser function.