Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers steal credit card data abusing Google’s Apps Script

Hackers abuse Google Apps Script to steal credit cards, bypass CSP Attackers are abusing Google’s Apps Script business application development platform to steal payment card information from e-stores. Sansec researchers reported that threat actors are abusing Google’s Apps Script business application development platform to steal credit card data provided by customers of e-commerce websites. “Attackers use […]

Google's Apps Script magecart

Hackers abuse Google Apps Script to steal credit cards, bypass CSP

Attackers are abusing Google’s Apps Script business application development platform to steal payment card information from e-stores.

Sansec researchers reported that threat actors are abusing Google’s Apps Script business application development platform to steal credit card data provided by customers of e-commerce websites.

“Attackers use the reputation of the trusted Google domain script.google.com to evade malware scanners and trust controls like CSP.” reads the post published by the security firm Sansec.

Attackers use the script.google.com domain to avoid detection and bypass Content Security Policy (CSP) controls, the Google domain, and its subdomains, are whitelisted by default in the CSP configuration of the e-stores.

The new technique was discovered by security researcher Eric Brandel using the Sansec’s Early Breach Detection tool.

Attackers compromise the e-stores by injecting a small piece of obfuscated code into their pages:

Google's Apps Script magecart

the malware was designed to intercepts payment forms and sends the data to a custom application hosted at Google Apps Script.

https[:]//script[.]google.com/macros/s/AKfycbwRGFNoOpnCE9c8Y7jQYknBhSTPHNfLaEZ-IB_JEzeLLjY-FmM/exec

Experts pointed out that the the actual code hosted at Google is not public, but the error message displayed reaching the above script suggests that stolen payment data is funneled by Google servers to an Israel-based site called analit[.]tech.

Google's Apps Script magecart

Experts noticed that this malicious domain http://analit[.]tech/ was registered on the same day as previously discovered domains hotjar[.]host and pixelm[.]tech that were involved in malware attacks, who are also hosted on the same network.

“This new threat shows that merely protecting web stores from talking to untrusted domains is not sufficient. E-commerce managers need to ensure that attackers cannot inject unauthorized code in the first place. Server-side malware and vulnerability monitoring is essential in any modern security policy.” concludes Sansec.

This isn’t the first time that Magecart hackers abused Google services in their campaign, in June, Kaspersky identified several web skimming attacks that abused Google Analytics service to exfiltrate data stolen with an e-skimmer software.

Threat actors exploit the trust in Analytics to bypass Content Security Policy (CSP) using the Analytics API.

Attackers targeted e-store using Google’s web analytics service for tracking visitors and that for this reason Google Analytics domains are whitelisted in their CSP configuration.

Kaspersky found about two dozen infected sites worldwide, including e-stores in Europe and North and South America selling digital equipment, cosmetics, food products, spare parts etc.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Google’s Apps Script)

[adrotate banner=”5″]

[adrotate banner=”13″]