Credit card skimming via Google Analytics

Credit card skimming via Google Analytics

Web skimming is a type of cyberattack that targets online shoppers. In these attacks malicious code collects and sends data entered by the shopper to a criminal. The criminals can use this data to gain access to the shopper’s payment information.

Sometimes fraudsters register domain names that seem to be those of credible companies e.g. and They then place malicious code in these sites. But on other occasions the attackers use authentic sites by injecting the malicious code into them.

How does this work? Google Analytics (GA) involves site owners inserting a GA tracking code into their websites. The code includes a tracking ID that looks something like this UA-11111111-1 and several of these, sending reports to different accounts, can exist on the same page.

Online security company Kaspersky have recently identified instances where this code has been used fraudulently. Attackers injected malicious code into a number of sites. Data entered by users, including credit card data, was collected via the GA code and then sent on to the criminals’ GA accounts.

Kaspersky have found around two dozen infected sites worldwide including shops in Europe, North America and South America selling aa wide range of goods including computers, cosmetics and groceries.

Why is this a problem?

Google Analytics is a very popular service used on millions of sites. Site users generally don’t know it is there. And site owners and administrators trust it completely. And because of the way the fraud is delivered, the attack can be implemented without code being downloaded to end users each time they visit: once the malicious code has been uploaded once, the site is infected.

What can be done to avoid the problem?

For users it’s simple: download security software that will protect against this type of attack. This type of software will be able to detect the malicious code used in these attacks and want the user, or prevent them visiting the site.

Website builders also need to take action to avoid allowing their site being contaminated. And again simple actions can be very effective. Make sure admin accounts that can affect the website’s code are protected by strong passwords and limit the number of people with access to those accounts. Ensure that any software is kept up to date. And in addition, only take software and CMS components from trusted sources; for instance any payment gateways should be PCI-DSS compliant. Finally ensure that code injection by third parties is not possible.

A detailed technical description of the attack is available here.

Main image courtesy of

Copyright Lyonsdown Limited 2021

Top Articles

Amazon fined a staggering £636 million in Europe for GDPR violations

Luxembourg’s National Commission for Data Protection (CNPD) has imposed an unprecedented fine of €746 million (£636 million) on Amazon for GDPR violations.

SysAdmin Day 2021: Paying thanks to the unsung IT heroes

Today is SysAdmin Day when we should pay tribute to the system administrators working around the clock to keep business running smoothly

Former First Sea Lord says Royal Navy ships are vulnerable to hackers

A former First Sea Lord has warned that Royal Navy ships and Britain's merchant fleet could become sitting ducks for hackers if adversaries find ways to knock out satellite communications.

Related Articles

[s2Member-Login login_redirect=”” /]