Researchers reported on Monday that hackers are now exploiting Google’s Analytics service to stealthily pilfer credit card information from infected e-commerce sites. According to several independent reports from , and Sansec , threat actors are now injecting data-stealing code on the compromised.
Researchers reported on Monday that hackers are now exploiting Google’s Analytics service to stealthily pilfer credit card information from infected e-commerce sites.
According to several independent reports from PerimeterX, Kaspersky, and Sansec, threat actors are now injecting data-stealing code on the compromised websites in combination with tracking code generated by Google Analytics for their own account, letting them exfiltrate payment information entered by users even in conditions where content security policies are enforced for maximum web security.
« Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics, » Kaspersky said in a report published yesterday. « As a result, the attackers could access the stolen data in their Google Analytics account. »
The cybersecurity firm said it found about two dozen infected websites across Europe and North and South America that specialized in selling digital equipment, cosmetics, food products, and spare parts.
Bypassing Content Security Policy
The attack hinges on the premise that e-commerce websites using Google’s web analytics service for tracking visitors have whitelisted the associated domains in their content security policy (CSP).
CSP is an added security measure that helps detect and mitigate threats stemming from cross-site scripting vulnerabilities and other forms of code injection attacks, including those embraced by various Magecart groups.
The security feature allows webmasters to define a set of domains the web browser should be allowed to interact with for a specific URL, thereby preventing the execution of untrusted code.
Panorama des menaces cyber en 2025 : Implications pour les entreprises françaises à l'ère de…
Introduction L'adoption croissante des technologies d'intelligence artificielle dans le secteur de la santé offre des…
La révolution IA dans le secteur de la santé : nouveaux défis de cybersécurité La…
En tant que PME sous-traitante de grands groupes, vous connaissez trop bien ce scénario :…
Votre entreprise vient de subir une cyberattaque. Dans le feu de l'action, vous avez mobilisé…
"Mais concrètement, à quoi sert un scanner de vulnérabilité pour une entreprise comme la nôtre?"…
This website uses cookies.