Microsoft warns against web skimmers mimicking Google Analytics and Meta Pixel Code


Threat actors behind web skimming campaigns leverage malicious JavaScript code that mimics Google Analytics and Meta Pixel scripts in an attempt to evade detection.

“This is a change from previous tactics where attackers visibly injected malicious scripts into e-commerce platforms and content management systems (CMS) via exploiting vulnerabilities, which makes this threat very evasive to traditional security solutions,” said the Microsoft 365 Defender research team. said in a new report.

Skimming attacks, such as those of Magecart, are carried out with the aim of collecting and exporting users’ payment information, such as credit card details, which are entered into online payment forms on e-commerce platforms, usually during the checkout process.

cyber security

This is achieved by taking advantage of security vulnerabilities in third-party plugins and other tools to inject malicious JavaScript code into online portals without owners’ knowledge.

As skimming attacks have increased in number over the years, the methods employed to hide skimming scripts have also increased. Last year, Malwarebytes exposed a campaign in which malicious actors were observed delivering PHP-based web shells embedded in website favicons to load skimmer code.

malicious JavaScript code

Then, in July 2021, Sucuri discovered another tactic of inserting the JavaScript code into comment blocks and hiding stolen credit card data in images and other files hosted on the hacked servers.

The latest obfuscation techniques observed by Microsoft are a variation of the aforementioned method of using malicious image files, including regular images, to stealthily embed a PHP script with Base64-encoded JavaScript.

cyber security

A second approach relies on four lines of JavaScript code appended to a compromised webpage to retrieve a remote server’s skimmer script that is “Base64-encoded and concatenated from multiple strings.”

The use of skimmer script domains encoded in spoofed Google Analytics and Meta Pixel code is also detected in an effort to stay under the radar and avoid raising suspicion.

Unfortunately, there is little that online shoppers can do to protect themselves from web skimming other than ensuring their browsing sessions are secure during checkout. Alternatively, users can also create virtual credit cards to secure their payment information.

“Given the increasingly evasive tactics used in skimming campaigns, organizations need to ensure that their e-commerce platforms, CMSs and installed plugins are up to date with the latest security patches and that ‘They only download and use third-party plugins and services from trusted sources,’ Microsoft said.


Comments are closed.