Hackers stealing credit card details using Google apps

Credit card information for sale
(Image credit: Shutterstock)
Audio player loading…

A security researcher has unearthed a novel approach devised by hackers to grab credit card details of ecommerce (opens in new tab) shoppers using Google's own tools. 

While analyzing data from cybersecurity company Sansec, Eric Brandel discovered that hackers were using Google’s Apps Script domain to appear legitimate to any Content Security Policy (CSP) controls.

“What makes abusing Google Apps Script interesting is that the endpoint is script[.]google[.]com,” Brandel shared on Twitter (opens in new tab).

Abusing trust

CSP helps identify trusted sources in a bid to prevent cross-site scripting and and other types of code injection attacks. In this instance however, the hackers managed to trick the controls by masquerading behind a trusted domain. 

Brandel discovered that the hackers banked on the fact that virtually all online stores would’ve whitelisted all Google subdomains in their respective CSP configurations. They abused this trust to use the App Script domain to route the stolen data to a server under their control.

This isn’t the first time online fraudsters have rode on the reputation of Google’s domains and services. As per reports, notorious cybercriminal groups have abused Google services such as Google Sheets and Google Forms for malware (opens in new tab) command-and-control communications. 

Last year, Sansec discovered a web skimming campaign (opens in new tab) run entirely on Google servers, which was sending stolen credit card information to Google Analytics (opens in new tab).

Brandel shares that he was able to replicate the setup of the latest abuse in a matter of minutes, cheekily adding that it’s high time web developers should stop configuring their CSPs to trust Google sub-domains.

Via: BleepingComputer (opens in new tab)

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.