Card skimming scripts hiding as Google Analytics and Angular

Walden Systems Geeks Corner News Card skimming scripts hiding as Google Analytics and Angular Rutherford NJ New Jersey NYC New York North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

A bunch of credit card-stealing scripts have popped up on the web, injected into websites and supposedly legitimate Google Analytics or Angular utilities in order to avoid webmaster notice. The malicious code is obfuscated and injected into legitimate JS files, mainly on Magento built sites. A JS file is a text file containing JavaScript code that is used to execute JavaScript instructions in web pages. The campaign stands out by allowing a significant level of customization. Each site has its own set of injected scripts, compromised sites, misleading variables and file names, and unique variations of obfuscation. At the same time, at each level, they try to make an impression that they do something useful, are related to Google Analytics or Magento conversion tracking, or are built with reputable JS frameworks.

For some sites, the obfuscated code loads another script from www.google-analytics[.]cm/analytics.js. The URL looks very similar to the real Google Analytics location, which is www.google-analytics.com/analytics.js, but has the .cm domain instead of .com. If someone views the script, they'll find that the obfuscated code tries to mask itself as GoogleAnalytics. On other compromised sites, the credit card stealing code masquerades as legitimate Angular code. Angular is Google's framework for web development. At least 40 sites have been found hosting these fake scripts.


The code contains many keywords that look relevant to this popular JavaScript framework, such as Angular.io, algularToken, angularCdn, and angularPages. However, a thorough analysis shows that angularCdn is an encrypted URL, alglularToken, with the misspelling, is a decryption key, and the rest of the code are functions that decode the URL and dynamically load a script from it. That URL, https://www.gooqletagmanager[.]com/gtm.js, also looks similar to the URL for a legitimate service, Google's Tag Manager service. The only change is that a Q replaces the second G in Google's name.

These fake Angular scripts are injected into the Magento database and can be found in the HTML source of web pages on compromised Magento sites. In most cases, they are not formatted as well as the above sample and occupy just a long, single line of code. Each site has its own version of the script, with different decryption keys and encoded URLs. It's worth mentioning that the majority of the