Kaspersky: Online shoppers’ credit card details at risk to new “web skimming” hack via Google Analytics

Researchers over at cybersecurity company Kaspersky have discovered a new method used by attackers to steal payment details—including credit card information—from e-commerce websites. What’s worrying is that the technique involves Google Analytics accounts, with an estimated 24 websites already affected.

Victoria Vlasova, Senior Malware Analyst at Kaspersky, explains that this method of attack is a new discovery, and the widespread use of Google Analytics makes it even more dangerous:

“This is a technique we have not seen before, and one that is particularly effective. Google Analytics is one of the most popular web analytics services out there. The vast majority of developers and users trust it, meaning it’s frequently given permission to collect user data by site administrators.”

But first: What is web skimming?

Web skimming isn’t exactly new, with Kaspersky explaining that the technique has been used to steal payment information from online stores in the past. Basically, malicious code is inserted into the source code of a e-commerce website, which then collects users’ payment details, before sending them back to the hackers.

Usually, these attackers use domain names that appear to be legitimate, often with a single letter that indicates the fakeness of the domain (ie. googlee-analytics). But with this new method of web skimming, Kaspersky says that the data is actually rerouted to official Google Analytics accounts—which makes the attack even more difficult to detect.

These malicious parties register real accounts with Google Analytics, redirect users’ credit card info via the inserted malicious code to their accounts, and then configure the accounts to collect private user data. As an extra safeguard against detection from domain holders (for e-commerce and other affected sites), the attackers’ code ensures that if a site administrator attempts to debug a website’s source code, the attackers’ previously inserted code is not executed (and thus, isn’t detected).

How to protect yourself, and your credit card information

Google has been notified about the vulnerability, with preventive measures expected sometime soon from the search engine giants. In the meantime, Kaspersky recommends using a reliable security solution that has the capability to detect (and block) malicious code from being executed.

Kaspersky’s own Security Cloud solution does this, while it can also disable Google Analytics from being used altogether. However, it’s worth noting that Google Analytics is a tool that is used by millions of websites all around the world to track domain metrics, and until a permanent solution is found, site domain administrators will have to be extra wary when examining a site’s source code.

To find out more about web skimming, click here.