Is anyone not using Google Analytics?

Marketers, advertisers, phishers…

Analytics tracking codes are an easy way to discover a companies online footprint.

ThreatPipes Google analytics tracking

For example, techcrunch.com returns 12 domains related to their Google Analytics tracking ID UA-991406 , including, crunchbase.com, techcrunch.tv, and inviteshare.com.

Larger companies might return 100’s of related sites, often charting old projects and acquisitions.

Rightly, there is lots of talk about controlling tracking on the internet.

ThreatPipes web analytics tracking

Though tracking services won’t disappear any time soon. They serve a very useful purpose for website owners.

At the most simple level that might include tracking page views or where a visitor came from.

Malicious actors are no different.

The number of call backs to a C2 domain. Credentials entered into a phishing site. Where the traffic to their sites originates from.

Sophisticated actors will do this at a server level. They won’t expose tracking information to the client.

Would I call most phishing campaigns sophisticated?

Hi Davdi, we have seen suspisious activity for account. Plz reset password for Google account here: https://forms.google.com/myform

No.

But they are curious.

What’s the quickest, easiest, and cheapest way to track your phishing sites?

Google Analytics.

With many out-of-the-box phishing frameworks available, actors can deploy 100’s of sites in minutes with little oversight.

During research of phishing domains, I’ve seen the owners of these campaigns being incredibly lazy.

Not only will they use free service, like Google Analytics, they will also use the same analytics tracking code across all their sites.

ThreatPipes web analytics network graph

It makes it brilliantly simple to watch all their campaigns in action.

Many of us might jump straight to the nameserver level to look for connections between malicious sites.

Often that’s giving too much credit to the bad guys.

ThreatPipes Modules relevant to this post

  • SpyOnWeb: Search SpyOnWeb for hosts sharing the same IP address, Google Analytics code, or Google Adsense code.
  • DNS Raw Records: Retrieves raw DNS records such as MX, TXT and others.
  • WHOIS: Perform a WHOIS look-up on domain names and owned netblocks.
  • WhatCMS: Check web technology using WhatCMS.org API.

Here are 100’s more…

David Greenwood

David Greenwood, ThreatPipes Team