Hackers steal credit card data abusing Google’s Apps Script

Hackers abuse Google Apps Script to steal credit cards, bypass CSP

Attackers are abusing Google’s Apps Script business application development platform to steal payment card information from e-stores.

Sansec researchers reported that threat actors are abusing Google’s Apps Script business application development platform to steal credit card data provided by customers of e-commerce websites.

“Attackers use the reputation of the trusted Google domain script.google.com to evade malware scanners and trust controls like CSP.” reads the post published by the security firm Sansec.

Attackers use the script.google.com domain to avoid detection and bypass Content Security Policy (CSP) controls, the Google domain, and its subdomains, are whitelisted by default in the CSP configuration of the e-stores.

The new technique was discovered by security researcher Eric Brandel using the Sansec’s Early Breach Detection tool.

Attackers compromise the e-stores by injecting a small piece of obfuscated code into their pages:

the malware was designed to intercepts payment forms and sends the data to a custom application hosted at Google Apps Script.

https[:]//script[.]google.com/macros/s/AKfycbwRGFNoOpnCE9c8Y7jQYknBhSTPHNfLaEZ-IB_JEzeLLjY-FmM/exec

Experts pointed out that the the actual code hosted at Google is not public, but the error message displayed reaching the above script suggests that stolen payment data is funneled by Google servers to an Israel-based site called analit[.]tech.

Experts noticed that this malicious domain http://analit[.]tech/ was registered on the same day as previously discovered domains hotjar[.]host and pixelm[.]tech that were involved in malware attacks, who are also hosted on the same network.

“This new threat shows that merely protecting web stores from talking to untrusted domains is not sufficient. E-commerce managers need to ensure that attackers cannot inject unauthorized code in the first place. Server-side malware and vulnerability monitoring is essential in any modern security policy.” concludes Sansec.

This isn’t the first time that Magecart hackers abused Google services in their campaign, in June, Kaspersky identified several web skimming attacks that abused Google Analytics service to exfiltrate data stolen with an e-skimmer software.

Threat actors exploit the trust in Analytics to bypass Content Security Policy (CSP) using the Analytics API.

Attackers targeted e-store using Google’s web analytics service for tracking visitors and that for this reason Google Analytics domains are whitelisted in their CSP configuration.

Kaspersky found about two dozen infected sites worldwide, including e-stores in Europe and North and South America selling digital equipment, cosmetics, food products, spare parts etc.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Google’s Apps Script)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.