Select Page

Over the last few months, I has been brought to our attention that several credit card-stealing scripts that use variations of the Google Analytics name to make them look less suspicious and evade detection by website owners.

The folks over at Sucuri have uncovered a new security threat involving malicious scripts posing as legitimate Google tracking calls in order to avoid casual detection. These scripts are designed to scrape sensitive data such as credit card information from compromised websites.

The malicious code attempts to mimic references to the standard Google Analytics and Google Tag Manager libraries using nearly identical URLs, in some cases registered using alternative TLDs.

In the below example, a malicious script uses a Cameroonian TLD to mimic a reference to the standard Google Analytics library.

Legitimate

www.google-analytics.com/analytics.js‌

Malicious ‌

www.google-analytics.cm/analytics.js

And below a malicious script is hosted on a domain registered under the standard ‘.com’ TLD but with a single letter change ‘q’ causing the malicious script to be loaded from a domain not owned by Google.

Legitimate

www.googletagmanager.com/gtm.js‌

Malicious ‌

www.gooqletagmanager.com/gtm.js

According to Sucuri, inspections of the malicious code reveal its true intention is to harvest sensitive details from form fields including credit-card details entered during checkout.

Possibly more alarming, Sucuri also outlines an attack vector involving equally obfuscated malicious code mimicking standard Google tracking calls embedded directly within sensitive forms. Suggesting that these sites have at some point, been compromised through targeted hacking and that the administrators of these sites have been unable to differentiate these calls from legitimate tracking.

To be sure none of these techniques are new, however the obfuscation by mimicking legitimate Google tracking calls is somewhat alarming given the significant use of Google tracking scripts across the web.

This is not the only case where this approach could help identify e-commerce site compromises. If you believe your site is being used for phishing campaigns and you need a hand cleaning up the infection, we’d be happy to help.

Other than being aware that such threats exists, we recommend that site administrators scan their sites for references to all of the malicious domains and libraries outlined in the original post.

 

In most cases, they are not formatted as well as the above sample and occupy just a long, single line of code.

Overall, this attack shows a significant level of customization, where attackers have taken an individualized yet very consistent approach to every compromise.

Each site has its own set of injected scripts, compromised sites, misleading variables and file names, and unique variations of obfuscation. At the same time, at each level, they consistently try to make an impression that they do something useful, are related to Google Analytics or Magento conversion tracking, or are built with reputable JS frameworks.

Related Articles

Do I Need a Website for My Business?

Do I Need a Website for My Business?

If your business has gotten this far without a website, you might be wondering: do I need a website for my business? What’s the point if my business is already successful without one? The short answer is that there has never been a better or more important time to...