A security researcher has unearthed a novel approach devised by hackers to grab credit card details of ecommerce (opens in new tab) shoppers using Google's own tools.
While analyzing data from cybersecurity company Sansec, Eric Brandel discovered that hackers were using Google’s Apps Script domain to appear legitimate to any Content Security Policy (CSP) controls.
“What makes abusing Google Apps Script interesting is that the endpoint is script[.]google[.]com,” Brandel shared on Twitter (opens in new tab).
- Shield yourself with these best identity theft protection services (opens in new tab)
- Protect your devices with these best antivirus software (opens in new tab)
- We've put together a list of the best endpoint protection software (opens in new tab)
CSP helps identify trusted sources in a bid to prevent cross-site scripting and and other types of code injection attacks. In this instance however, the hackers managed to trick the controls by masquerading behind a trusted domain.
Brandel discovered that the hackers banked on the fact that virtually all online stores would’ve whitelisted all Google subdomains in their respective CSP configurations. They abused this trust to use the App Script domain to route the stolen data to a server under their control.
This isn’t the first time online fraudsters have rode on the reputation of Google’s domains and services. As per reports, notorious cybercriminal groups have abused Google services such as Google Sheets and Google Forms for malware (opens in new tab) command-and-control communications.
Brandel shares that he was able to replicate the setup of the latest abuse in a matter of minutes, cheekily adding that it’s high time web developers should stop configuring their CSPs to trust Google sub-domains.
- Make sure you use one of these best password managers (opens in new tab)
Via: BleepingComputer (opens in new tab)