View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Attackers Use Google Analytics to View Scraped Credit Card Details

"The attackers could access the stolen data in their Google Analytics account”.

By claudia glover

Researchers at web security company Kaspersky have “identified several cases” where Google Analytics was used by attackers to view skimmed data such as credit card details from sites injected with Malware.

Kaspersky research arm Secure List found that through injecting malicious code into sites that often take credit card details, such as travel sites, attackers were able to use Google Analytics to access the stolen data.

Secure List found that this technique was being used with 20 websites in Europe, the US and South America, selling digital parts, cosmetics and food stuffs.

Google Analytics Views Illegal Data

The research report released yesterday explained this process in more detail:

“To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on analytics.google.com, get the tracking ID and insert it into the web pages together with the tracking code (a special snippet of code).

“Recently, we identified several cases where this service was misused: attackers injected malicious code into sites, which collected all the data entered by users, and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account”.

Google Analytics has 29 million sites, according to site analysis tool BuiltWith. Due to the brand name, visitors will use this service with no scrutiny whatsoever. According to Secure List it is common for administrators to write *.google-analytics.com into the Content-Security-Policy header, which lists resources that are safe to download third party code from.

Content from our partners
How designers are leveraging tech to apply the brakes to fast fashion
Why the tech sector must embrace faster, smarter talent recruitment
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate

The act of web scraping itself is now legal as of 2019, and Google has its own free web scraping tool called Instant Data Scraper.

Below such capabilities as “get contact info from professional association websites” and “get email addresses and phone numbers from directories” on the tool’s listing, there is one promise from the developer to the customer:

“This extension does not contain any malware or spyware beyond standard Google Analytics”.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU