Web skimming is a practice used by hackers to steal users’ credit card details from online stores’ payment pages by injecting pieces of code into the websites’ source code. This malicious code then collects the data that unknowing shoppers input (i.e. payment account logins or credit card numbers) and sends it back to the attacker.
Researchers from cybersecurity and antivirus experts, Kaspersky, have now revealed a new technique that is being used to steal the users’ payment information.
The attackers register domains with names that resemble popular web analytics services which site administrators trust, such as Google Analytics. That way, when they inject the malicious code it conceals the fact that the webpage has been compromised from the site administrator. For example, using a domain name “goglc-analytics . com”
“This is a technique we have not seen before and one that is particularly effective. Google Analytics is one of the most popular web analytics services out there. The vast majority of developers and users trust it, meaning it’s frequently given permission to collect user data by the site administrator,” says Victoria Vlasova, Senior Malware Analyst at Kaspersky.
“That makes malicious injects containing Google Analytics accounts inconspicuous – and easy to overlook. As a rule, administrators should not assume that, just because the third-party resource is legitimate, its presence in the code is ok,” she concludes.
Kaspersky researchers say that they have also noticed another new technique for conducting web skimming attacks. Rather than redirecting the data to third-party sources, the attackers redirected it to official Google Analytics accounts.
Because the data isn’t being directed to an unknown third-party resource, it’s difficult for administrators to realize the site has been compromised. For those examining the source code, it just appears as if the page is connected with an official Google Analytics account – a common practice for online stores.