Google Analytics Emerges as a Phishing Tool

Web analytics help phishers hone their attacks — but website defenders can also use these tactics to better detect the scope of attacks and mitigate their effects.

Cybercriminals are leveraging key technical markers used in web analytics—particularly Google Analytics—to create more sophisticated and targeted phishing attacks, new research has found.

However, this also makes them more susceptible to detection by organizations defending their sites against attacks, researchers said.

With 56.1 percent of websites now using analytics to generate reports on user behavior and page views, and to track user activity throughout sites, cybercriminals have caught on and are leveraging these and other uses of analytics for their own dirty work, the report found. After all, criminals who launch phishing attacks have the same interest as typical website designers in driving traffic to their phishing sites and luring users to click on links in emails, according to a new report by network security provider Akamai Technologies.

“As phishing has evolved over the years, criminals have learned that technical markers, like browser identification, geo-location and operating system [identification], can help adjust the phishing website’s visibility, and enable more granular targeting,” according to the research from Tomer Shiomo, senior security research team lead at Akamai Labs, released on Wednesday  “In order to evaluate these metrics, kit developers use third-party analytic products, such as those developed by Google, Bing or Yandex, to gather the necessary details.”

But even while attackers are using website tools to create malicious campaigns, Akamai showed in its research how those defending their sites against phishing can turn the tables and detect phishers using the same technology.

Analytics uses something called a unique identifier (UID) to identify each customer. This UID is comprised of two parts–the unique analytics network account ID (XXXXX), and the view, or property, number, Shiomo explained.

For its research, Akamai scanned 62,627 active phishing URLs, 54,261 of which are non-blank pages that belong to 28,906 unique domains. Researchers discovered 874 domains with UIDs; 396 of those were unique Google Analytic accounts. Akamai also discovered that 75 of the UIDs were used for more than one website.

By analyzing the source code of these websites, researchers observed phishing tactics making use of these analytic UIDs, Shiomo said, identifying several reasons related to malicious behavior that could explain the presence of the analytic identifiers, he said.

One reason could be that a bad actor was reusing a UID for phishing purposes, he said. “While attempting to duplicate the original website, the developers used copying tools such as HTTrack or wget to download the source code, reusing the analytic ID shipped with the original code,” Shiomo wrote.

The use of UIDs also could be evidence of analytic IDs set by the framework developer to monitor the victim’s movement through the phishing website, he said.

Additionally, the UIDs observed by Akamai researchers could be the mark of “phishing websites that were sinkholed by the targeted company,” showing a site that was previously redirected by a phishing campaign, now re-routed back to the original website, Shiomo said.

This last example shows how those defending sites against phishing can beat cybercriminals at their own game, taking the technology being used against them to glean more not only about user behavior on a site, but also cybercriminal behavior, he said.

“Using analytics can help you understand the full scale of a phishing campaign, and defenders can use this data to compare with internal signatures, for a more rounded detection and remediation process,” Shiomo wrote.

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.