Hackers have found a new tool in their never-ending quest to cause trouble. They’ve begun abusing the Apps Script business application developed by Google in a bid to steal credit card and personally identifiable information.
That’s significant because given Google’s dominant position on the internet, the Apps Script is widely trusted by the market.
That fact allows hackers to mask their illicit activities and is further aided by the fact that most online vendors whitelist Google’s subdomains by default. Why wouldn’t they? Google plays a critical role in today’s internet and most business owners rely heavily on a wide range of Google’s tools and services.
Unfortunately, that creates an opportunity that the hackers are only too happy to exploit. Armed with a means of masking their activities, hackers can inject malicious code into a number of eCommerce shopping cart solutions, many of which are JavaScript based.
We owe the discovery of this latest tactic to Sansec security researcher Eric Brandel.
Brandel had this to say about the recent discovery:
“This new threat shows that merely protecting web stores from talking to untrusted domains is not sufficient. E-commerce managers need to ensure that attackers cannot inject unauthorized code in the first place. Server-side malware and vulnerability monitoring is essential in any modern security policy.
…when a skimming campaign runs entirely on trusted Google servers, very few security systems will flag it as ‘suspicious.’ And more importantly, popular countermeasures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google.
CSP was invented to limit the execution of untrusted code. But since pretty much everybody trusts Google, the model is flawed.”
And that’s the crux of the problem. Fortunately, if Google’s past performance is any indication, they’ll move swiftly to make their systems even more secure, thus limiting the threat. Until that happens though, it pays to be mindful of the fact that it exists, and plan accordingly.