The folks over at Sucuri have uncovered a new security threat involving malicious scripts posing as legitimate Google tracking calls in order to avoid casual detection. These scripts are designed to scrape sensitive data such as credit card information from compromised websites.
The malicious code attempts to mimic references to the standard Google Analytics and Google Tag Manager libraries using nearly identical URLs, in some cases registered using alternative TLDs.
In the below example, a malicious script uses a Cameroonian TLD to mimic a reference to the standard Google Analytics library.
Legitimate www.google-analytics.com/analytics.js‌
Malicious ‌www.google-analytics.cm/analytics.js
And below a malicious script is hosted on a domain registered under the standard ‘.com’ TLD but with a single letter change ‘q’ causing the malicious script to be loaded from a domain not owned by Google.
Legitimate www.googletagmanager.com/gtm.js‌
Malicious www.gooqletagmanager.com/gtm.js
According to Sucuri, inspections of the malicious code reveal its true intention is to harvest sensitive details from form fields including credit-card details entered during checkout.
Possibly more alarming, Sucuri also outlines an attack vector involving equally obfuscated malicious code mimicking standard Google tracking calls embedded directly within sensitive forms. Suggesting that these sites have at some point, been compromised through targeted hacking and that the administrators of these sites have been unable to differentiate these calls from legitimate tracking.
To be sure none of these techniques are new, however the obfuscation by mimicking legitimate Google tracking calls is somewhat alarming given the significant use of Google tracking scripts across the web.
Other than being aware that such threats exists, we recommend that site administrators scan their sites for references to all of the malicious domains and libraries outlined in the original post.