Researchers at Kaspersky have uncovered a rather frightening technique being used to skim payment information from ecommerce websites.

Cybercriminals are reportedly using Google Analytics accounts to collate data from web skimming attacks.

“Web skimming is a popular practice used by attackers to steal users’ credit card details from the payment pages of online stores, whereby attackers inject pieces of code into the source code of the website. This malicious code then collects the data inputted by visitors to the site (i.e. payment account logins or credit card numbers) and sends the harvested data to the address specified by attackers in the malicious code,” explains Kaspersky.

The firm says that while attackers have used fake versions of legitimate websites to disguise their malicious actions in the past, the attackers have graduated.

Attackers have been using injecting malicious code into websites and then using Google Analytics to collate the data skimmed off of the site.

The trouble is that website administrators allow Google Analytics access to their website because it is trusted. This degree of trust lets Analytics see actions such as how long users remain on your site, where they are from and more.

But this trust has been leveraged by the bad guys.

“Recently, we identified several cases where this service was misused: attackers injected malicious code into sites, which collected all the data entered by users, and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account,” writes senior malware analyst at Kaspersky, Victoria Vlasova.

This stolen data includes payment information and more.

The good news is that Kaspersky only found two dozen infected sites worldwide and these sites were located in Europe, North America and South America.

“This is a technique we have not seen before, and one that is particularly effective. Google Analytics is one of the most popular web analytics services out there. The vast majority of developers and users trust it, meaning it’s frequently given permission to collect user data by site administrators. That makes malicious injects containing Google Analytics accounts inconspicuous – and easy to overlook,” says Vlasova.

The firm recommends website owners make use of a security solution which detects and blocks malicious scripts from running. The alternative is disabling Google Analytics altogether.

Vlasova concludes by saying, “As a rule, administrators should not assume that, just because the third-party resource is legitimate, its presence in the code is ok”.

You find a high-level breakdown of the script and how it leverages Google Analytics here.

[Image – CC 0 Pixabay]