Card-Skimming Scripts Hide Behind Google Analytics, Angular

google analytics card skimmers

The campaign is marked by a significant level of customization, with an “individualized yet very consistent approach to every compromise.

A host of credit card-stealing scripts have popped up on the web, injected into websites and purporting to be legitimate Google Analytics or Angular utilities in order to avoid webmaster notice.

According to research from Sucuri, the malicious code is obfuscated and injected into legitimate JS files, mainly on Magento-built sites. A JS file is a text file containing JavaScript code that is used to execute JavaScript instructions in web pages.

The campaign is marked by a significant level of customization, with an “individualized yet very consistent approach to every compromise,” the researchers explained in a Tuesday post. “Each site has its own set of injected scripts, compromised sites, misleading variables and file names, and unique variations of obfuscation.”

They added, “At the same time, at each level, they consistently try to make an impression that they do something useful, are related to Google Analytics or Magento conversion tracking, or are built with reputable JS frameworks.”

For some sites, “the obfuscated code loads another script from www.google-analytics[.]cm/analytics.js. The URL looks very similar to the real Google Analytics location – www.google-analytics.com/analytics.js – but has the .cm top-level domain instead of .com,” the team said. “If someone views the script, they’ll find this obfuscated code that also tries to mask itself as GoogleAnalytics.”

On other compromised sites, the credit card-stealing code masquerades as legitimate Angular code; Angular is Google’s framework for web development. At least 40 sites have been found hosting these fake scripts, according to Sucuri.

“The code contains many keywords that look relevant to this popular JavaScript framework, such as Angular.io, algularToken, angularCdn, and angularPages,” according to the post. “However, a more thorough analysis shows that angularCdn is an encrypted URL, alglularToken (note the typo) is a decryption key, and the rest of the code are functions that decode the URL and dynamically load a script from it.”

That URL, hxxps://www.gooqletagmanager[.]com/gtm.js., also closely mirrors the URL for a legitimate service; this time, the Google Tag Manager service. The only change is that a “Q” replaces the second “G” in Google’s name.

“These fake Angular scripts are typically injected into the Magento database and can be found in the HTML source of web pages on compromised Magento sites,” the researchers said. “In most cases, they are not formatted as well as the above sample and occupy just a long, single line of code. Each site has its own version of the script, with different decryption keys and encoded URLs. It’s worth mentioning that the majority of these <script> tags have various misleading references to google/analytics/magento/conversions.”

The hacked sites that are serving the code are not limited to Magento, Sucuri added:  WordPress, Joomla and Bitrix sites are also impacted. In all cases, the scripts harvest payment information from e-commerce checkout pages.

Sucuri didn’t identify the threat actor behind this latest campaign, but card-skimming is a growing threat, particularly in light of the voluminous activity by the Magecart Group. Last year, more than 7,000 individual e-commerce sites were found to have been infested with the MagentoCore.net payment-card skimmer, making the malicious script one of the most successful credit-card threats out there. The infections are part of a single effort, all tied back to the well-resourced Magecart, which has global reach.

Site administrators should scrutinize the addition of any new code to their websites to protect their consumers from these kinds of attacks.

“Even if you don’t understand what the code does, you can assume its malicious nature if it wasn’t added by anyone responsible for site maintenance,” Sucuri concluded.

Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar Wednesday, Feb. 27 at 2 p.m. ET.

Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout will join Threatpost senior editor Tara Seals.

They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.

 

Suggested articles