Cybersecurity expert Eric Brandel discovered that cybercriminals are abusing the Google Apps Script platform to steal bank card information that users provide to e-commerce sites while shopping on the Internet.
Hackers use the script.google.com domain for their own purposes and thus successfully hide their malicious activity from security solutions and bypass Content Security Policy (CSP). This is possible hence online retailers generally view the Google Apps Script domain as trustworthy and often whitelist all Google subdomains.Brandel says that he found an obfuscated script of a web skimmer injected by cybercriminals on the websites of online stores. Like any other MageCart script, it intercepts users’ payment information.
What made this script different from other similar solutions was that all stolen billing information was transmitted as base64-encoded JSON to Google Apps Script, and the script[.]google[.]com domain was used to retrieve the stolen data.
Only then the information was transferred to the attacker’s domain analit[.]tech.
I must say that this is not the first time that hackers abuse Google services, in particular Google Apps Script. For example, back in 2017 it became known that the Carbanak group uses Google services (Google Apps Script, Google Sheets, and Google Forms) as the basis for their C&C infrastructure.
Importantly, it was reported that the Google Analytics platform was also being abused for attacks like MageCart in 2020.