Dan Goodin at Ars Technica
‘Researchers from Kaspersky Lab on Monday said that they have recently observed about two dozen infected sites that found a novel way to achieve this. Instead of sending it to attacker-controlled servers, the attackers send it to Google Analytics accounts they control. Since the Google service is so widely used, ecommerce site security policies generally fully trust it to receive data.’
Clever but very creepy. Check you don’t have an extra Google Analytics profile in your sites source.
Here’s another (deep dive) article on card skimming via embedded image data.