Hackers are using Google Analytics to steal credit cards, passwords, IP addresses everything shared with a hacked site.
An investigation by Kaspersky Lab has uncovered a replacement hacking technique that uses Google Analytics to steal MasterCard numbers, user agents, IP addresses, passwords everything.
This isn’t an exploit in Google Analytics itself.
Hackers are exploiting the trusted status given to Google Analytics by all browsers to steal information from hacked sites by using Google Analytics is how to transfer that data.
According to Kaspersky Lab:
“…we identified several cases where this service was misused: attackers injected malicious code into sites, which collected all the info entered by users, then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account.”
Kaspersky’s report noted that the exploit is stealing everything that’s shared with the affected website, including MasterCard information but presumably meaning password information also.
“…the script collects everything anyone inputs on the location (as well as information about the user who entered the data: IP address, User-Agent, time zone).
The collected data is encrypted and sent using the Google Analytics Measurement Protocol.”
The exploit steals “everything” from passwords, name and address, credit cards, and even the private information of the person sharing their information.
How the Exploit Works
A site first has got to be exploitable, which suggests that it operates with vulnerable software that permits an attacker to realize control.
Once the location has been compromised, the attacker uploads code that siphons off information that users share on the location, like passwords and MasterCard numbers.
Google Analytics wont to Steal Credit Cards
Google Analytics is free software provided by Google to assist publishers to measure the traffic from other sites to their sites. It is how site owners understand how site visitors are interacting with their site.
It’s commonly wont to track advertising related traffic to understand where a campaign is generating more income than is being spent to advertise.
The way that attackers steal user information is by adding their own Google Analytics code into the web site, exploiting Google Analytics to send the code to them.
Content Security Policy Header Flaw
Security headers are how to secure an internet site against attacks like cross-site scripting and script injection, to assist stop data theft attacks.
One of these security headers is named a Content Security Policy (CSP) header.
The CSP header tells a browser which domains are trusted for downloading scripts. This keeps a hacker from downloading viruses from another website onto a site visitor’s browser.
According to a report within the Hacker News, the flaw within the CSP header is that on sites that use Google Analytics, Google Analytics is laid out in the CSP as a trusted source of scripts.
Thus, because Google Analytics may be a trusted source, hackers can add their own Google Analytics code to websites and bypass content security protocols.
The Content Security Policy is powerless to prevent it.
Developer Mode Cloaking
A quirky thing the hackers do is hiding the code when a browser is in Developer Mode. Presumably, the hackers are assuming that a site publisher is going to be inspecting their site for rogue code while the publisher’s browser is in developer mode.
If you’re checking your site to ascertain if there’s a problem, make certain your browser isn’t in developer mode.
What you ought to Do
One way to understand if your site is suffering from this hack is to see if quite one Google Analytics code is on your site.
If a site’s Google Analytics code was completely replaced then that might be noticed because the analytics would be reporting no traffic.
Removing the rogue analytics code isn’t enough though. If that code exists then which will mean there’s an underlying vulnerability on the location that allowed the attacker to put the rogue code within the first place.
(With inputs from SearchEngineJournal)