Google app script is abused by hackers to steal credit cards, bypass CSP
Once deployed, the scripts allow them to collect payment and personal information submitted by hacked shop customers and to collect it on servers under their control.
Google App Script domain used as an endpoint for exfiltration
As he found, the malicious and obfuscated skimmer script injected by attackers on e-commerce pages has captured payment information sent by users.
An exfiltration script google.com was used to transfer all the payment information stolen from the compromised online stores to the custom Google Apps script using the JSON base64 files.
After reaching the Google Apps Script endpoint, data was submitted to another server — analyst tech located in Israel — controlled by the hackers.
“E-commerce managers need to ensure that attackers cannot inject unauthorized code in the first place. Server-side malware and vulnerability monitoring are essential in any modern security policy.”
Google Analytics also abused to steal credit cards
Other Google services have also been exploited in Magecart attacks, with the Google Analytics tool being used by criminals to extract payment data from several dozen online retailers.
“Typically, a digital skimmer (aka Magecart) runs on dodgy servers in tax havens, and its location reveals its nefarious intent,” Sansec explained at the time.
“But when a skimming campaign runs entirely on trusted Google servers, very few security systems will flag it as ‘suspicious.’ And more importantly, popular countermeasures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google.”