Researchers at web security company Kaspersky have “identified several cases” where Google Analytics was used by attackers to view skimmed data such as credit card details from sites injected with Malware.
Kaspersky research arm Secure List found that through injecting malicious code into sites that often take credit card details, such as travel sites, attackers were able to use Google Analytics to access the stolen data.
Secure List found that this technique was being used with 20 websites in Europe, the US and South America, selling digital parts, cosmetics and food stuffs.
Google Analytics Views Illegal Data
The research report released yesterday explained this process in more detail:
“To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on analytics.google.com, get the tracking ID and insert it into the web pages together with the tracking code (a special snippet of code).
“Recently, we identified several cases where this service was misused: attackers injected malicious code into sites, which collected all the data entered by users, and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account”.
Google Analytics has 29 million sites, according to site analysis tool BuiltWith. Due to the brand name, visitors will use this service with no scrutiny whatsoever. According to Secure List it is common for administrators to write *.google-analytics.com into the Content-Security-Policy header, which lists resources that are safe to download third party code from.
The act of web scraping itself is now legal as of 2019, and Google has its own free web scraping tool called Instant Data Scraper.
Below such capabilities as “get contact info from professional association websites” and “get email addresses and phone numbers from directories” on the tool’s listing, there is one promise from the developer to the customer:
“This extension does not contain any malware or spyware beyond standard Google Analytics”.