Credit card skimming via Google Analytics

Credit card skimming via Google Analytics

Web skimming is a type of cyberattack that targets online shoppers. In these attacks malicious code collects and sends data entered by the shopper to a criminal. The criminals can use this data to gain access to the shopper’s payment information.

Sometimes fraudsters register domain names that seem to be those of credible companies e.g. and They then place malicious code in these sites. But on other occasions the attackers use authentic sites by injecting the malicious code into them.

How does this work? Google Analytics (GA) involves site owners inserting a GA tracking code into their websites. The code includes a tracking ID that looks something like this UA-11111111-1 and several of these, sending reports to different accounts, can exist on the same page.

Online security company Kaspersky have recently identified instances where this code has been used fraudulently. Attackers injected malicious code into a number of sites. Data entered by users, including credit card data, was collected via the GA code and then sent on to the criminals’ GA accounts.

Kaspersky have found around two dozen infected sites worldwide including shops in Europe, North America and South America selling aa wide range of goods including computers, cosmetics and groceries.

Why is this a problem?

Google Analytics is a very popular service used on millions of sites. Site users generally don’t know it is there. And site owners and administrators trust it completely. And because of the way the fraud is delivered, the attack can be implemented without code being downloaded to end users each time they visit: once the malicious code has been uploaded once, the site is infected.

What can be done to avoid the problem?

For users it’s simple: download security software that will protect against this type of attack. This type of software will be able to detect the malicious code used in these attacks and want the user, or prevent them visiting the site.

Website builders also need to take action to avoid allowing their site being contaminated. And again simple actions can be very effective. Make sure admin accounts that can affect the website’s code are protected by strong passwords and limit the number of people with access to those accounts. Ensure that any software is kept up to date. And in addition, only take software and CMS components from trusted sources; for instance any payment gateways should be PCI-DSS compliant. Finally ensure that code injection by third parties is not possible.

A detailed technical description of the attack is available here.

Main image courtesy of

Copyright Lyonsdown Limited 2021

Top Articles

Clubhouse data leak: Data of 1.3m users dumped on a hacker forum

An SQL database containing records of 1.3 million Clubhouse users has been leaked for free on a popular hacker forum.

Iran terms Israeli cyber attack on nuke facility as "nuclear terrorism"

A rumoured cyber attack carried out by Mossad, Israel's official spy agency, destroyed legacy IR-1 centrifuges at Iran's underground nuclear facility located in Natanz.

The Hunt for Red Insider

The analogy to The Hunt For Red October is not far removed from the common reality of cybersecurity.

Related Articles