Hacker’s Analytics – How Magecart stays rampant

June 26, 2020
google analytics hacker's tool magecart exploit

Another hot plate dish on Magecart where Cybersecurity experts have recently exposed activities concerning online stores. This new rupture is targeting e-commerce companies to stealthily steal credit card information for people that make purchases through stores online. This activity can bypass the multi-layered security protocol called Content Security Policy (CSP), which is imposed by hosts onto many web stores. Be it known that CSP is primarily used to ensure the hackers cannot inject to execute malicious code to the businesses’ website.

However, with the demonstration done by the firm mentioned above, they were able to show the vulnerability that they discovered about the CSP stronghold with the aid of Google Analytics (GA) and Google servers. The result confirmed that this protocol to protect customer’s sensitive information is still not foolproof.


Analytics on the loophole

The analysis shows that hackers were able to see the loophole where these businesses that use CSP are whitelisting any credentials which are affiliated to Google Analytics. In this instance, malicious actors able to inject their lethal code hideously to the e-commerce website without being blocked by CSP as this protocol trusted anything from Google. With its spyware in place, they can now exfiltrate customer’s credit card information upon its submission then be transferred to their Google Dashboard through an encrypted file. Then hackers can deliver it to their remote storage for decryption.

On the statistics report from BuiltWith, they confirmed that operators use Google Analytics on over 29 million e-commerce websites, second is Baidu Analytics, and then Yandex Metrika. Analytics applications are well known to be accessible on web stores as one of its features is to collate customer behavior upon visiting their website, then converting it to statistics. The data gathered can be used by the owner to know which products or services are best and least to their customer. The main reason that the perpetrators have targeted it as they cannot penetrate CSP alone. Thus, using these analytics served the window in their pursuit to continue their malicious acts.


Our recommendation

Generally, the report aims to show the weakness of CSP and for it to get improvement. As CSP allows whitelisting protocol, any domain tagged as trusted within its database, once compromised, can be utilized to bypass its imposed security, and exfiltrating sensitive data is inevitable. Thus, we highly recommend having a restriction upgrade for accounts to perform data exfiltration and transmission.

About the author

Leave a Reply