Kaspersky researchers have uncovered a new technique for stealing users’ payment information on online shopping websites—a type of attack known as web skimming.
Web skimming is a popular practice used by attackers to steal users’ credit card details from the payment pages of online stores, whereby attackers inject pieces of code into the source code of the website. This malicious code then collects the data inputted by visitors to the site (i.e. payment account logins or credit card numbers) and sends the harvested data to the address specified by attackers in the malicious code. Often, to conceal the fact that the webpage has been compromised, attackers register domains with names that resemble popular web analytics services, such as Google Analytics. That way, when they inject the malicious code, it’s harder for the site administrator to know that the site has been compromised. For example, a site named “googlc-analytics[.]com” is easy to mistake as a legitimate domain.
Recently, however, Kaspersky researchers have discovered a previously unknown technique for conducting web skimming attacks. Rather than redirecting the data to third-party sources, they redirected it to official Google Analytics accounts. Once the attackers registered their accounts on Google Analytics, all they had to do was configure the accounts’ tracking parameters to receive a tracking ID. They then injected the malicious code along with the tracking ID into the webpage’s source code, allowing them to collect data about visitors and have it sent directly to their Google Analytics accounts.
Read the full official story here