Attackers are abusing Google’s Apps Script business application development platform to steal credit card information. Read on to know more…
Credit card details of shoppers have been under threat for quite some time now. However, the threat just got bigger with hackers using a unique technique for the purpose.
A security researcher has unearthed a novel approach devised by hackers to grab credit card details of ecommerce shoppers using Google’s own tools.
Attackers are exploiting the Google App Script domain — script.google.com — to evade Content Security Policy (CSP) controls and malware scan engines. This is a particularly intriguing technique since Google’s App Script domain is trusted by e-commerce stores and thus, all the Google subdomains would get whitelisted on the sites.
This is not the first time that this platform has been abused. This technique was used in 2017 by the FIN7 threat actor, along with Google Sheets and Google Forms. With the re-emergence of this technique, we observe the emergence of a new threat that indicates that protecting online stores from untrusted domains is simply not enough anymore.
Observations
“Attackers use the reputation of the trusted Google domain script.google.com to evade malware scanners and trust controls like CSP.” reads the post published by the security firm Sansec.
While analyzing data from cybersecurity company Sansec, Eric Brandel discovered that hackers were using Google’s Apps Script domain to appear legitimate to any Content Security Policy controls. “What makes abusing Google Apps Script interesting is that the endpoint is script[.]google[.]com,” Brandel shared on Twitter.
• Shield yourself with these best identity theft protection services
• Protect your devices with these best antivirus software
• We’ve put together a list of the best endpoint protection software
Evading Content Security Policy
The Content Security Policy helps identify trusted sources in a bid to prevent cross-site scripting and and other types of code injection attacks. In this instance however, the hackers managed to trick the controls by masquerading behind a trusted domain.
Brandel discovered that the hackers banked on the fact that virtually all online stores would’ve whitelisted all Google subdomains in their respective CSP configurations. They abused this trust to use the App Script domain to route the stolen data to a server under their control.
This isn’t the first time online fraudsters have rode on the reputation of Google’s domains and services. As per reports, notorious cybercriminal groups have abused Google services such as Google Sheets and Google Forms for malware command-and-control communications.
Google Analytics Under Attack
Magecart attacks are abusing the Google Analytics platform to steal payment credentials from dozens of web stores. Why is it crucial? Because exploiting Google Analytics API allows hackers to sidestep CSP. Hence, instead of blocking injection-based attacks, Google Analytics scripts enable threat actors to steal and exfiltrate information.
Conclusion
The Content Security Policy was created to limit the implementation of untrusted code. However, because of the trust factor of Google, the model is now flawed. Thus, it is imperative that online store owners ensure that hackers cannot inject unauthorized code. Moreover, vulnerability and server-side malware scanning should be conducted.