Skip to main content

Trusted Google Domain Helped Hackers Get Past Security

By March 4, 2021May 11th, 2022Cybersecurity

Hackers have found a new tool in their never-ending quest to cause trouble. They’ve begun abusing the Apps Script business application developed by Google in a bid to steal credit card and personally identifiable information.

That’s significant because given Google’s dominant position on the internet, the Apps Script is widely trusted by the market.

That fact allows hackers to mask their illicit activities and is further aided by the fact that most online vendors whitelist Google’s subdomains by default. Why wouldn’t they? Google plays a critical role in today’s internet and most business owners rely heavily on a wide range of Google’s tools and services.

Unfortunately, that creates an opportunity that the hackers are only too happy to exploit. Armed with a means of masking their activities, hackers can inject malicious code into a number of eCommerce shopping cart solutions, many of which are JavaScript based.

We owe the discovery of this latest tactic to Sansec security researcher Eric Brandel.

Brandel had this to say about the recent discovery:

“This new threat shows that merely protecting web stores from talking to untrusted domains is not sufficient. E-commerce managers need to ensure that attackers cannot inject unauthorized code in the first place. Server-side malware and vulnerability monitoring is essential in any modern security policy.

when a skimming campaign runs entirely on trusted Google servers, very few security systems will flag it as ‘suspicious.’ And more importantly, popular countermeasures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google.

CSP was invented to limit the execution of untrusted code. But since pretty much everybody trusts Google, the model is flawed.”

And that’s the crux of the problem. Fortunately, if Google’s past performance is any indication, they’ll move swiftly to make their systems even more secure, thus limiting the threat. Until that happens though, it pays to be mindful of the fact that it exists, and plan accordingly.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.