This is how Google Analytics is abused by phishing scammers

Analytics markers can help fraudsters track victims and dupe them into visiting malicious domains - but can also light the way for defenders.

Key techniques used by malicious apps to trick Google Play Cyberattackers are using a variety of tactics to stop Google spotting suspicious app behavior.

"You've won the Spanish lottery!," "I am the legal counsel for a hedge fund and you are entitled to claim the proceeds," "You owe $5000 in tax and must pay now" -- these sorts of messages, which land in our inboxes on a daily basis, are designed to fool you into handing over sensitive information. 

Known as phishing, fraudsters will attempt to elicit an emotional response from you, whether this is fear that you've angered the tax man unwittingly or delight that you're soon to come into unexpected cash. 

See also: Hook, line and sinker: How I fell victim to phishing attacks - again and again

Once you've been reeled in -- as I found myself in a recent Cofense spear-phishing experiment -- cybercriminals will send you to malicious domains which host malware payloads or may also be replicas of legitimate domains that ask you for account details. 

As we've become savvier to 'spray and pray' mass spam email campaigns, tactics have continued to evolve, and trustworthy services may also be abused to further the ends of scammers. 

On Wednesday, cybersecurity researchers from Akamai revealed a study into how phishers are abusing data analytics platforms. Over half of all websites now use analytics to track and measure their visitor footfall, popular pages, engagement and time spent, and more. 

Google Analytics is the leading platform and the free service is estimated to cater to roughly 30 million websites. 

While legitimate users can implement Google Analytics to measure ROI, fraudsters will also use the service to track technical markers -- including browsers, countries, and visitor operating systems -- to tweak phishing campaigns and malicious domains to be more visible to a target market. 

CNET: NordVPN user accounts compromised and passwords exposed, report says

Akamai scanned 62,627 active phishing URLs, belonging to 28,906 unique web domains. Unique identifiers in some of the domains were linked to Google Analytics, and many IDs were used for more than one website. 

When fraudulent domains have a registered Google Analytics ID, this may be for the purpose of tracking the success of a phishing campaign, but in some cases, the ID code belonged to the original domain, likely ripped from source code and reused without thought. 

In other cases, phishing websites were sinkholed by target companies and IDs were used to track these domains and attempt to redirect would-be victims back to safe waters.   

A phishing campaign of note uses an ID belonging to an analytics network connected to LinkedIn. Multiple phishing domains hosting the same ID have been linked to recent phishing campaigns targeting LinkedIn users. 

TechRepublic: Why organizations feel vulnerable to insider attacks

"The campaign registered many misleading domains to lure its victims, but each domain hosted a different variation of the phishing kit's source code, making it hard to detect them all without the Google ID," Akamai says.

Scammers may leverage Google Analytics for their own purposes, but the tracking code can also be of benefit to researchers attempting to find and shut down malicious websites.

In another case, a legitimate Airbnb ID targeting logins, was used in a domain that was itself benign but was able to generate malicious subdomains. In this case, the use of the original ID assisted researchers as it made the campaign "stand out like a beacon" and therefore far easier for them to close down the operation. 

"Understanding the full reach of a given phishing campaign is a known problem when it comes to detection," the team commented. "Tracking IDs can help cluster the campaigns, which makes locating and tracking easier."

Google Analytics is not the only service that is abused by threat actors. Google Calendar, Photos, Drive, Storage, and more are also common tools exploited in phishing and spam. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0