View all newsletters
Receive our newsletter – data, insights and analysis delivered to you

Attackers Use Google Analytics to View Scraped Credit Card Details

"The attackers could access the stolen data in their Google Analytics account”.

By claudia glover

Researchers at web security company Kaspersky have “identified several cases” where Google Analytics was used by attackers to view skimmed data such as credit card details from sites injected with Malware.

Kaspersky research arm Secure List found that through injecting malicious code into sites that often take credit card details, such as travel sites, attackers were able to use Google Analytics to access the stolen data.

Secure List found that this technique was being used with 20 websites in Europe, the US and South America, selling digital parts, cosmetics and food stuffs.

Google Analytics Views Illegal Data

The research report released yesterday explained this process in more detail:

“To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on analytics.google.com, get the tracking ID and insert it into the web pages together with the tracking code (a special snippet of code).

“Recently, we identified several cases where this service was misused: attackers injected malicious code into sites, which collected all the data entered by users, and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account”.

Google Analytics has 29 million sites, according to site analysis tool BuiltWith. Due to the brand name, visitors will use this service with no scrutiny whatsoever. According to Secure List it is common for administrators to write *.google-analytics.com into the Content-Security-Policy header, which lists resources that are safe to download third party code from.

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

The act of web scraping itself is now legal as of 2019, and Google has its own free web scraping tool called Instant Data Scraper.

Below such capabilities as “get contact info from professional association websites” and “get email addresses and phone numbers from directories” on the tool’s listing, there is one promise from the developer to the customer:

“This extension does not contain any malware or spyware beyond standard Google Analytics”.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU