Web-skimming scam infected e-commerce sites on three continents

About two dozen e-commerce websites in North America, South America and Europe were recently “web-skimmed” through a ruse pretending to be Google Analytics.

Despite differences in merchandise sold, including digital equipment, cosmetics, food products and spare parts, what the web store victims had in common was not picking up a purposefully placed typo, such as with ‘,’ which can result in an errant data flow of payment information, according to a Kaspersky’s blog post.

So while over the past decade and a half Google Analytics has transformed e-commerce with an essential tool now used by more than 29 million websites to analyze their traffic, it also has created a hackers’ paradise for exploitation by pretending who they’re not.

“To make the data flow to a third-party resource less visible, fraudsters often register domains resembling the names of popular web services,” the blog post said. Typically falling prey to this scheme are multitude of variations on URLs looking legit, but the study also found attacks of this kind to sometimes use the authentic Google Analytics service, which websites “blindly trust” without being as scrupulous as necessary.

To harvest data about visitors using Google Analytics, websites must configure the tracking parameters in their account on, get the tracking ID (trackingId, a string like this: UA-XXXX-Y), and insert it into the web pages together with the tracking code (a special snippet of code). Tracking codes then sending data about visitors to different Analytics accounts.

Secure List identified several cases where the service was misused with attackers injecting malicious code into the targets, which collected all the data entered by users, and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account.

Unsuspecting administrators typically write * into the Content-Security-Policy header that’s used for listing resources from which third-party code can be downloaded, allowing the service to collect data. However, an attack can be implemented without downloading code from external sources, Kaspersky pointed out.

To head off such attacks, Kaspersky urged security software to detect malicious scripts used in such attacks as HEUR:Trojan-PSW.Script.Generic.

Furthermore, webmasters shouldn’t install web applications and CMS components from untrusted sources, keep current all software and patch reported vulnerabilities, as well as create strong passwords for all administration accounts. Kaspersky also urged user rights to be limited and keep track of users with access to service interfaces, as well as filter user-entered data and query parameters to prevent third-party code injection. The company recommended ecommerce sites use PCI DSS-compliant payment gateways.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.