Hackers stealing credit card details using Google apps
Criminals found to be lifting credit card details from e-commerce websites via Google Apps Script
A security researcher has unearthed a novel approach devised by hackers to grab credit card details of ecommerce shoppers using Google's own tools.
While analyzing data from cybersecurity company Sansec, Eric Brandel discovered that hackers were using Google’s Apps Script domain to appear legitimate to any Content Security Policy (CSP) controls.
“What makes abusing Google Apps Script interesting is that the endpoint is script[.]google[.]com,” Brandel shared on Twitter.
- Shield yourself with these best identity theft protection services
- Protect your devices with these best antivirus software
- We've put together a list of the best endpoint protection software
Abusing trust
CSP helps identify trusted sources in a bid to prevent cross-site scripting and and other types of code injection attacks. In this instance however, the hackers managed to trick the controls by masquerading behind a trusted domain.
Brandel discovered that the hackers banked on the fact that virtually all online stores would’ve whitelisted all Google subdomains in their respective CSP configurations. They abused this trust to use the App Script domain to route the stolen data to a server under their control.
This isn’t the first time online fraudsters have rode on the reputation of Google’s domains and services. As per reports, notorious cybercriminal groups have abused Google services such as Google Sheets and Google Forms for malware command-and-control communications.
Last year, Sansec discovered a web skimming campaign run entirely on Google servers, which was sending stolen credit card information to Google Analytics.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Brandel shares that he was able to replicate the setup of the latest abuse in a matter of minutes, cheekily adding that it’s high time web developers should stop configuring their CSPs to trust Google sub-domains.
- Make sure you use one of these best password managers
Via: BleepingComputer
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.