Cybercriminals have developed a new skimming technique to steal people's payment card information for online shopping, a leading antivirus company has announced.

In a blog post today (June 22), Moscow-based cybersecurity giant Kaspersky said that online fraudsters have created a Google Analytics account, copied the tracking code for that account, and used that code to steal the compromised reportedly collecting credit card information by inserting it into an online store's web page code.

Kaspersky warns that "about 20 online stores worldwide have been compromised in this way," most of them in the United States, Europe, and South America.

Web skimming attacks are not necessarily new. Fraudsters often use this method to access the credit card information of unsuspecting victims, but it has become more common in recent years with the rapid proliferation of online shopping.

These attacks are carried out by allowing perpetrators to alter the source code of a website so that they can collect all information submitted by users on the site. (In most cases, the website owner or administrator is unaware that the site has been modified.) This data, including payment information, is then transferred to the perpetrator.

Another tactic is to use domains that pose as legitimate services, such as Google Analytics, to make it harder for site administrators to realize that their website has been compromised.

According to Kaspersky, this technique usually involves using the Google Analytics domain (google-), such as google-anatytics, google-analytcsapi, google-analytc, google-anaiytlcs, etc. analytics.com), which includes intentional misspellings.

However, the technique discovered by Kaspersky is new: instead of spoofing the Google Analytics domain name, the stolen data is sent to a legitimate Google Analytics account created by the attacker.

"Once the attacker registered an account with Google Analytics, all that was left was to set the tracking parameters of the account to receive the tracking ID."

"Then, along with the tracking ID, malicious code was injected into the web page's source code so that data about the visitor could be collected and sent directly to the Google Analytics account"

.

As a result, it is not easy for website administrators to identify and respond to website breaches.

Kaspersky explains: "To someone examining the source code, it only appears as if the page is linked to an official Google Analytics account.

Anti-debugging techniques used by attackers also assume that someone is looking for malicious code and effectively hide it, making the job of administrators and security professionals increasingly difficult.

Kaspersky states that "if a site administrator uses developer mode to check the source code of a web page, no malicious code can be executed."

Victoria Vlasova, senior malware analyst at Kaspersky, says: "This is a technique we have never seen before, and one that is particularly effective: Google Analytics is one of the most popular web analytics services out there. [i.e., permission to collect user data is frequently granted by site administrators. Therefore, malicious injections involving Google Analytics accounts are inconspicuous and easily overlooked. As a general rule, administrators should not assume that just because a third-party resource is legitimate, it is okay for that resource to be present in the code.

Kaspersky recommends installing a security solution that "can detect and block the execution of malicious scripts."