Attackers abusing Google Apps Script to steal bank card details

Google Apps Script
Written by Emma Davis

Cybersecurity expert Eric Brandel discovered that cybercriminals are abusing the Google Apps Script platform to steal bank card information that users provide to e-commerce sites while shopping on the Internet.

Hackers use the script.google.com domain for their own purposes and thus successfully hide their malicious activity from security solutions and bypass Content Security Policy (CSP). This is possible hence online retailers generally view the Google Apps Script domain as trustworthy and often whitelist all Google subdomains.

Brandel says that he found an obfuscated script of a web skimmer injected by cybercriminals on the websites of online stores. Like any other MageCart script, it intercepts users’ payment information.

What made this script different from other similar solutions was that all stolen billing information was transmitted as base64-encoded JSON to Google Apps Script, and the script[.]google[.]com domain was used to retrieve the stolen data.

What this endpoint does is it simply takes the “img” URL parameter and passes it on to the attacker controlled endpoint. This is very easy to do and I was able to replicate the setup in about 5 minutes.writes Eric Brandel on his Twitter account.

Only then the information was transferred to the attacker’s domain analit[.]tech.

The malicious domain analit[.]tech was registered on the same day as the previously detected malicious domains hotjar[.]host and pixelm[.]tech, which are hosted on the same network.the researcher notes.

I must say that this is not the first time that hackers abuse Google services, in particular Google Apps Script. For example, back in 2017 it became known that the Carbanak group uses Google services (Google Apps Script, Google Sheets, and Google Forms) as the basis for their C&C infrastructure.

Importantly, it was reported that the Google Analytics platform was also being abused for attacks like MageCart in 2020.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.