The Google Analytics Breach And What Is Being Done About It

The exploitation of Google Analytics’ tracking service is raising eyebrows around cyberspace as a new, dangerous threat vector emerges. In an effort to steal credit card information and credentials details, hackers are injecting malicious code into unsecured websites along with Google-generated tracking links.

Accordingly, when an individual visits an infected website and leaves traces of data, scammers and data thieves can use their own Google Analytics account as a medium to collect and exploit payment and other personal data. 

The Nature Of The Threat

To collect data about visitors using Google Analytics, site owners must configure the tracking parameters in their Analytics account, get the tracking ID (a string like this: UA-XXXX-Y), and integrate it into the web pages along with the tracking code (a special code snippet). Many tracking codes can rub shoulders on one site and submit visitor data to various Analytics accounts. The "UA-XXXX-Y" refers to the tracking ID used by Google Analytics to distinguish one account from another.

Hackers incorporate malicious codes that can easily blend into legitimate codes generated by the  Analytics accounts to track user behavior on compromised websites. This allows the hacker to siphon data and extract payment information that users give even through specific conditions where policies were enforced on the content and data to achieve the highest level of web security.

In order to get the correct analytics data, websites need to explicitly whitelist the domain https://www.googleanalytics.com. If they don’t do so, any attempt to load scripts or accumulate data will fail. Hence, webmasters are bound to whitelist the service. This opens a doorway for hackers to squeeze in their Analytics ID into the snippet and siphon end-user data to their own Analytics accounts without the need to download any external code.

Already, cybersecurity platforms have discovered over 24 affected websites across Europe, South, and North America.

The Source Of The Breach 

To gather data using this specific technique, a small piece of JavaScript code is needed. The code transmits the data collected such as general credentials and information of the payment through a particular event. 

Other methods that Google Analytics implements to identify and assess different actions are also used to gather data. The most harmful part of these attackers siphoning data is that the attack can be executed without even downloading or editing the source code. All they need to do is add their personal Analytics ID in the snippet and Google’s servers will take care of the rest.

Some advanced coders also deliver a more secure attack by enabling a feature called developer mode, allowing the attacker to spot network requests and errors within the security layers of the website. This is executed only if the feature is enabled in the visitor's browser and is read as negative. 

What Is Being Done About It

The security features of threat protection platforms must predefine a set of domains that the browser should have access to, thus preventing the functioning of untrusted code. Allowing adaptive URLs and adding identification as a part of the URL to restrict the infiltration of information is necessary. 

A more direct approach would be to strengthen the content security policy (CSP). This will force the creation of a client-side web application firewall (WAF) that enforces a statement on where specified data fields are allowed to be transferred. 

Website owners are recommended to create a list of mandatory parameters that Analytics needs to see and whitelist specific URLs instead. This allows proactive monitoring and granular control over sensitive data that ultimately prevents data siphoning attempts.

Web skimming attacks can be particularly challenging to detect with antivirus solutions given they don’t attack or affect the application's core infrastructure. Therefore, implementing a zero-trust approach can limit the power to run code to specific people, helping keep your user's data safe and secure.

The adoption of a zero-trust approach has been broadly advised by data protection companies. Web teams should be asked to look into third-party services that facilitate the creation of privacy and security policies. The teams should then restrict access of personally identifiable information (PII) to a specific set of personnel. 

With these policies intact, even if malicious code makes it to your site, it won’t be able to access any sensitive information. Alerts will be sent when the code has been exploited by an outside entity.

Bottom Line

Web skimming attacks are quite common, and it’s nearly impossible for users to do anything to keep their data protected at all times. The key responsibility of protection platforms is to provide smart strategies to avoid any form of bypass that can be exploited by hackers. 

Website owners shouldn’t install plugins, CMS components, and other applications from unverified sources. Moreover, webmasters should also create strong administrator passwords, use PCI-DSS compliance, and limit user permissions to the bare minimum. In addition, constant patching and updating of applications are necessary to prevent data breaches.