{ "id": "90d6dcde-f50c-4b4b-a471-8bd40b8bea92", "created_at": "2026-04-06T00:11:45.040891Z", "updated_at": "2026-04-10T13:11:48.420409Z", "deleted_at": null, "sha1_hash": "3814bd74607df06e3936e8166e78e007305b1c8e", "title": "Hackers abuse Google Apps Script to steal credit cards, bypass CSP", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1023796, "plain_text": "Hackers abuse Google Apps Script to steal credit cards, bypass CSP\r\nBy Sergiu Gatlan\r\nPublished: 2021-02-18 · Archived: 2026-04-05 14:01:32 UTC\r\nImage: Google\r\nAttackers are abusing Google's Apps Script business application development platform to steal credit card information\r\nsubmitted by customers of e-commerce websites while shopping online.\r\nThey are using the script.google.com domain to successfully hide their malicious activity from malware scan engines and\r\nbypass Content Security Policy (CSP) controls.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThey take advantage of the fact that online stores would consider Google's Apps Script domain as trusted and potentially\r\nwhitelisting all Google subdomains in their sites' CSP configuration (a security standard for blocking untrusted code\r\nexecution in web apps).\r\nCredit card skimmers (Magecart scripts or payment card skimmers) are JavaScript-based scripts injected by cybercrime\r\ngroups known as Magecart groups inject into hacked online stores as part of web skimming (also known as e-skimming)\r\nattacks.\r\nOnce deployed, the scripts allow them to harvest the payment, and personal info submitted by the hacked shops' customers\r\nand collect it on servers under their control.\r\nGoogle Apps Script domain used as exfiltration endpoint\r\nThis new payment info theft tactic was discovered by security researcher Eric Brandel while analyzing Early Breach\r\nDetection data provided by Sansec, a cybersecurity company focused on fighting digital skimming.\r\nAs he discovered, the malicious and obfuscated skimmer script injected by the attackers in e-commerce sites intercepted\r\npayment info submitted by users.\r\nAll the payment info stolen from the compromised online shop was sent as base64 encoded JSON data to a Google Apps\r\nScript custom app, using script[.]google[.]com as an exfiltration endpoint.\r\nAfter reaching the Google Apps Script endpoint, the data was forwarded to another server — Israel-based site analit[.]tech\r\n— controlled by the attackers.\r\n\"The malware domain analit[.]tech was registered on the same day as previously discovered malware domains hotjar[.]host\r\nand pixelm[.]tech, who are also hosted on the same network,\" Sansec said.\r\nError displayed when accessing attackers' custom Google Apps Script app (Sansec)\r\nThis isn't the first time this Google service has been abused, with the FIN7 cybercriminal group using it in the past together\r\nwith Google Sheets and Google Forms services for malware command-and-control.\r\nSince mid-2015, FIN7 (aka Carbanak or Cobalt) has targeted banks and the point-of-sale (PoS) terminals EU and US\r\ncompanies using the Carbanak backdoor.\r\n\"This new threat shows that merely protecting web stores from talking to untrusted domains is not sufficient,\" Sansec added.\r\n\"E-commerce managers need to ensure that attackers cannot inject unauthorized code in the first place. Server-side malware\r\nand vulnerability monitoring is essential in any modern security policy.\"\r\nGoogle Analytics also abused to steal credit cards\r\nOther Google services were also abused in Magecart attacks, with the Google Analytics platform being used by attackers to\r\nsteal payment info from several dozen online stores.\r\nWhat made those attacks worse was that by abusing the Google Analytics API, the threat actors could also circumvent CSP,\r\nseeing that web stores whitelist Google's web analytics service in their CSP configuration for tracking visitors.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette\r\nPage 3 of 4\n\nAs Sansec and PerimeterX found at the time, instead of blocking injection-based attacks, allowing Google Analytics scripts\r\nenabled the attackers to utilize them for stealing and exfiltrating data.\r\nThis was done using a web skimmer script specifically designed to encode stolen data and send it to the attacker's Google\r\nAnalytics dashboard in encrypted form.\r\nBased on stats provided by BuiltWith, more than 28 million sites are currently using Google's GA web analytics services,\r\nwith 17,000 of the websites reachable via an HTTPArchive scan in March 2020 whitelisting the google-analytics.com\r\ndomain according to PerimeterX statistics.\r\n\"Typically, a digital skimmer (aka Magecart) runs on dodgy servers in tax havens, and its location reveals its nefarious\r\nintent,\" Sansec explained at the time.\r\n\"But when a skimming campaign runs entirely on trusted Google servers, very few security systems will flag it as\r\n'suspicious.' And more importantly, popular countermeasures like Content-Security-Policy (CSP) will not work when a site\r\nadministrator trusts Google.\"\r\n\"CSP was invented to limit the execution of untrusted code. But since pretty much everybody trusts Google, the model is\r\nflawed,\" Sansec CEO and founder Willem de Groot also told BleepingComputer.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette\r\nhttps://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-apps-script-to-steal-credit-cards-bypass-csp/#google_vignette" ], "report_names": [ "#google_vignette" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434305, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3814bd74607df06e3936e8166e78e007305b1c8e.pdf", "text": "https://archive.orkl.eu/3814bd74607df06e3936e8166e78e007305b1c8e.txt", "img": "https://archive.orkl.eu/3814bd74607df06e3936e8166e78e007305b1c8e.jpg" } }