Hackers are using Google’s servers and Google Analytics platform to steal credit card information submitted by online stores. A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks. This new tactic takes advantage of the fact that e-commerce web sites using Google Analytics are whitelisting Google Analytics domains in their CSP configuration (a security standard used to block the execution of untrusted code on web apps) New research shows that using CSP to prevent credit card skimming attacks is pointless on sites that also deploy Google Analytics.
Source: https://www.bleepingcomputer.com/news/security/hackers-use-google-analytics-to-steal-credit-cards-bypass-csp/