Pierluigi Paganini
February 19, 2021
Hackers abuse Google Apps Script to steal credit cards, bypass CSP
Sansec researchers reported that threat actors are abusing Google’s Apps Script business application development platform to steal credit card data provided by customers of e-commerce websites.
“Attackers use the reputation of the trusted Google domain script.google.com to evade malware scanners and trust controls like CSP.” reads the post published by the security firm Sansec.
Attackers use the script.google.com domain to avoid detection and bypass Content Security Policy (CSP) controls, the Google domain, and its subdomains, are whitelisted by default in the CSP configuration of the e-stores.
The new technique was discovered by security researcher Eric Brandel using the Sansec’s Early Breach Detection tool.
Thanks to some data from @sansecio, I came across another example of a digital skimmer/#magecart script abusing a Google service for data exfiltration. In this case, the service being abused was Google Apps Script
— Eric Brandel (@AffableKraut) February 18, 2021
1/7 pic.twitter.com/xRzt29pD9L
Attackers compromise the e-stores by injecting a small piece of obfuscated code into their pages:
the malware was designed to intercepts payment forms and sends the data to a custom application hosted at Google Apps Script.
https[:]//script[.]google.com/macros/s/AKfycbwRGFNoOpnCE9c8Y7jQYknBhSTPHNfLaEZ-IB_JEzeLLjY-FmM/exec
Experts pointed out that the the actual code hosted at Google is not public, but the error message displayed reaching the above script suggests that stolen payment data is funneled by Google servers to an Israel-based site called analit[.]tech.
Experts noticed that this malicious domain http://analit[.]tech/ was registered on the same day as previously discovered domains hotjar[.]host and pixelm[.]tech that were involved in malware attacks, who are also hosted on the same network.
“This new threat shows that merely protecting web stores from talking to untrusted domains is not sufficient. E-commerce managers need to ensure that attackers cannot inject unauthorized code in the first place. Server-side malware and vulnerability monitoring is essential in any modern security policy.” concludes Sansec.
This isn’t the first time that Magecart hackers abused Google services in their campaign, in June, Kaspersky identified several web skimming attacks that abused Google Analytics service to exfiltrate data stolen with an e-skimmer software.
Threat actors exploit the trust in Analytics to bypass Content Security Policy (CSP) using the Analytics API.
Attackers targeted e-store using Google’s web analytics service for tracking visitors and that for this reason Google Analytics domains are whitelisted in their CSP configuration.
Kaspersky found about two dozen infected sites worldwide, including e-stores in Europe and North and South America selling digital equipment, cosmetics, food products, spare parts etc.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Google’s Apps Script)
[adrotate banner=”5″]
[adrotate banner=”13″]
