Threat actors are using a novel approach to steal the credit card details of e-commerce shoppers by exploiting Google’s Apps Script business application platform. Threat actors are abusing Google Apps Script domain ‘script.google.com’ to hide their malicious activities from malware scan engines and evade Content Security Policy (CSP) controls.
Eric Brandel, a cybersecurity researcher unearthed the scam while analyzing Early Breach Detection data provided by Sansec, a cybersecurity firm focused on fighting digital skimming. Brandel explained that threat actors bank on the fact that the majority of the online stores would have whitelisted all Google subdomains in their respective CSP configuration (a security protocol for blocking suspicious code execution in web apps). They take advantage of this trust and abuse the App script domain to route the stolen data to a server under their possession.
Once, the malicious script was injected by the fraudsters in the e-commerce site, all the payment details stolen from the exploited e-commerce site were transferred as base64 encoded JSON data to a Google Apps Script custom app, using script.google.com as an exfiltration endpoint. Then, the stolen data was transferred to another server - Israel-based site analit. tech – handled by fraudsters.
Sansec stated that “the malware domain analit[.]tech was registered on the same day as previously discovered malware domains hotjar[.]host and pixelm[.]tech, who are hosted on the same network.” Google services such as Google Forms and Google Sheets are also exploited in the past by FIN7 cybercriminal gang for malware command-and-control communications. This gang has targeted banks and point-of-sale (POS) terminals EU and US firms using the Carbanak backdoor.
“Typically, a digital skimmer (aka Magecart) runs on dodgy servers in tax havens, and its location reveals its nefarious intent. But when a skimming campaign runs entirely on trusted Google servers, very few security systems will flag it as ‘suspicious’. And more importantly, popular countermeasures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google”, Sansec explained the workings of the fraudsters.