Google Analytics used by Cyber-criminals to avoid CSP barrier & take financial data!

Google Analytics used by Cyber-criminals to avoid CSP barrier & take financial data!

Online shops in Europe, US & South America have been found to be compromised by an attack using Google Analytics to sidestep CSP – more barriers are now advised.

Hackers seem to have devised a new ‘skimming method’ to steal payment card information from victims as they shop on-line.


Says a blog post by PerimeterX, the attack bypasses a web application’s Content Security Policy (CSP) by using the Google Analytics API.

The techniques take advantage of the web tracking service’s domains being ‘whitelisted’ in CSP configurations. CSP is used to protect applications against client-side vulnerabilities & Magecart attacks.

Researchers found “an easy to reproduce vulnerability in the core functionality of CSP when using it for blocking theft of credentials, PII & payment data like credit cards.”

For the web skimming attack to happen, hackers use their own Google Analytics tag ID as the CSP “can’t discriminate based on the Tag ID”.

CSP Rule System

“The source of the problem is that the CSP rule system isn’t granular enough. Recognising & stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access & exfiltration of sensitive user data (in this case the user’s email address & password),” stated PerimeterX’s VP of research Amir Shaked.

In a blog post by Kaspersky, researchers described about 24 infected sites globally. The victims included stores in Europe & North & South America selling digital equipment, cosmetics, food products, spare parts etc.


“What’s more, the attack can be implemented without downloading code from external sources,” said Victoria Vlasova, Senior Malware Analyst at Kaspersky.

Shaked further explained that a possible solution would come from adaptive URLs, adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts.

“A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement. This will essentially create a client-side WAF that can enforce a policy on where specific data field are allowed to be transmitted,” he further added.


“While CSP is a useful tool to have in your web security tool belt, it is not fool-proof. In addition to the complexity of managing CSP rules, this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection.”

Jamie Akhtar, CEO & Co-Founder of CyberSmart, explained that there are some ways organisations can protect themselves against these attacks.

3rd party code

“For example, they can use a tag manager which will hide the UA-XXXXXX Ids. It is also important to have an inventory of all 3rd party code being used to know what data is being accessed. Using any 3rd-party code will come with risks so it is safest to assume any code is vulnerable. There are code protection applications out there so it would be good practice to implement them,” he observed.


“Having more barriers to sign in is also a good place to start in protecting yourself. Using 2-factor authentication, Google authenticator or enabling more than 2 devices for protected sign in. You should also ensure your data is encrypted as you share it across platforms.”