A new modality of online scam uses legitimate Google Analytics accounts to steal personal and banking data from e-commerce users. Sophisticated fraud involves the invasion of online stores to insert malicious code, with customer information being transferred through the giant’s metrics platform as a way to hide the traces and identities of the responsible hackers.
The warning about the practice, known as web skimming, was made by Kaspersky. According to the information security company, the method is not new in its design, which involves intercepting payment data at the time of a purchase at an insecure online store. What caught the attention of experts, however, were the obfuscation tactics used, these unprecedented.
To practice the scam, those responsible register legitimate accounts in Google Analytics, which generates a tracking ID, by which the metrics of access to a website are obtained and informed to webmasters. This code is manipulated and inserted into an e-commerce previously hacked by hackers alongside malicious programming aimed at stealing data, which is sent back to criminals through the giant’s service.
According to Kaspersky experts, the use of the Analytics ID makes it difficult to identify the intrusion, as an analysis will find nothing linked to strange domains or third-party servers, only references to the Google platform. The malicious code still has a second peculiarity, capable of identifying an analysis using the developer mode by a site administrator and hiding its own performance by drawing even less attention.
“This [all] makes malicious use of the tool imperceptible and easy to ignore,” explains Victoria Vlasova, senior malware analyst at Kaspersky. According to her, the use of Google Analytics serves as an effective obfuscation tactic, since the metrics service is trusted by millions of webmasters around the world and is one of the most used systems on the web. “This is a technique that we have never seen before and that is particularly effective”.
In possession of the stolen data, hackers can carry out a series of actions. As we are talking about financial information, bank fraud and card cloning are the fastest ways to make a profit, but criminals can also use addresses, documents, emails and phones to practice phishing, extortion and other exploits against accounts and profiles of victims if they have not done their homework on digital security itself.
According to experts, the best way to protect is the use of security solutions on mobile phones and computers, since such software is capable of interrupting the operation of trackers such as Analytics or preventing the execution of suspicious or malicious codes. In addition, the ideal is just to register and make purchases on trusted sites that follow best security practices.
For e-commerce administrators, an analysis of unknown access to servers and an audit of source codes can be the way to discover fraud of this type. A comparison of the legitimate Google Analytics ID, belonging to the store, with the code available on the purchase pages can be used to identify the scam, as well as the analysis of the programming in search of suspicious scripts that are being executed during the access.
In contact with Canaltech, Google confirmed that it had been warned by Kaspersky about the exploitation and reported that all accounts linked to the scam were suspended. According to the company, the necessary measures are taken whenever any type of unauthorized use of Analytics is identified.