Hackers stealing credit card details using Google apps

Criminals found to be lifting credit card details from e-commerce websites via Google Apps Script

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A security researcher has unearthed a novel approach devised by hackers to grab credit card details ofecommerceshoppers usingGoogle’s own tools.

While analyzing data from cybersecurity company Sansec, Eric Brandel discovered that hackers were using Google’s Apps Script domain to appear legitimate to any Content Security Policy (CSP) controls.

“What makes abusing Google Apps Script interesting is that the endpoint is script[.]google[.]com,” Brandel shared onTwitter.

Abusing trust

Abusing trust

CSP helps identify trusted sources in a bid to prevent cross-site scripting and and other types of code injection attacks. In this instance however, the hackers managed to trick the controls by masquerading behind a trusted domain.

Brandel discovered that the hackers banked on the fact that virtually all online stores would’ve whitelisted all Google subdomains in their respective CSP configurations. They abused this trust to use the App Script domain to route the stolen data to a server under their control.

This isn’t the first time online fraudsters have rode on the reputation of Google’s domains and services. As per reports, notorious cybercriminal groups have abused Google services such as Google Sheets and Google Forms formalwarecommand-and-control communications.

Last year, Sansec discovered aweb skimming campaignrun entirely on Google servers, which was sending stolen credit card information toGoogle Analytics.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Brandel shares that he was able to replicate the setup of the latest abuse in a matter of minutes, cheekily adding that it’s high time web developers should stop configuring their CSPs to trust Google sub-domains.

Via:BleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’