Hackers use Google Analytics to bypass CSP & Steal Credit Cards Details

google analytics

Hackers are now exploiting the Google Analytics platform and Google’s servers to pilfer credit card information from infected e-commerce sites.

This isn’t an exploit in Google Analytics itself.

An estimated 24 websites have already been affected by this new technique.


Kaspersky Researchers have now stated that they have found a new technique that is being used by hackers. They are now injecting data-stealing code on the compromised websites in combination with tracking code generated by Google Analytics for their own account, letting them steal payment information entered by users even in times when content security policies are enforced for maximum web security.

The researchers said that they have “identified several cases where this service was misused: attackers injected malicious code into sites, which collected all the data entered by users, and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account.”

How Did They Bypass Content Security Policy

content security policy

CSP is an additional security measure used in detecting and mitigating threats from cross-site scripting vulnerabilities.

To conceal the hacking actions, the hacker set up a temporary iFrame to stack an attacker-controlled Google Analytics account. Afterward, the details of the credit card data are encrypted and delivered to the analytics console. From there the encryption key is used to recover the details

Out of the top 3 million Internet domains, only 210,000 are using CSP according to statistics from PerimeterX based on an HTTPArchive scan from March 2020. 17,000 of the websites reachable via those domains are whitelisting the google-analytics.com.

Read more Interesting articles and all the latest Tech News on Codifica: