Phishing has been evolving steadily over the years. As a result, cybercriminals have learned to exploit technical markers such as browser identification, geo-locations and operating system to enable granular targeting.
However, these are not the only markers phishers have been using lately – to evaluate these metrics, they need analytics tools, like Google Analytics, to gather the needed information, a new Akamai report says.
Google Analytics Is Preferred by Phishing Operators
In other words, cybercriminals who are specializing in phishing attacks, are getting better at leveraging a range of technical markers in web analytics to improve their attacks and make them highly targeted. It seems that Google Analytics is a preferred analytics tool even by phishers.
It is noteworthy that “today 56.1% of all Internet websites are using web analytics, with Google Analytics coming in as the leading platform. Most websites are using analytics for generating reports on user behavior, page views, and their journey through the site. These statistics also offer detailed user technical metrics such as OS type, geo-location, browser type, etc.”
There is a series of evidence showing that cybercriminals are now adopting the use of web analytics for their own purposes. This is not too surprising – phishers are also interested in driving traffic to specific pages, and should be getting better in luring potential victims to click on links. What better way to improve efficiency than using analytics tools?
An interesting discovery is that website owners that are protecting their sites against phishing attempts can detect phishers via a technology known as unique identifier (UID), which is applied to identify users. The UID contains two parts – the unique analytics network account ID (XXXXX), and the view (property) number.
Akamai scanned 62,627 active phishing URLs of which 54,261 are non-blank pages that belong to 28,906 unique domains. We discovered 874 domains with UIDs and 396 of the UIDs were unique Google Analytic accounts. Moreover, 75 of the UIDs were used in more than one website.
The researchers analyzed the code of these websites, and concluded that the analytic identifiers’ presence could be related to one of the following reasons:
1. Phishing re-used UID: While attempting to duplicate the original website, the developers used copying tools such as HTTrack or wget to download the source code, reusing the analytic ID shipped with the original code.
2. Phishing kit UID: Analytic IDs set by the framework developer to monitor the victim’s movement through the phishing website.
3. Legitimate UIDs: Phishing websites that were sinkholed by the targeted company, now redirects to the original website.
These results led to the discovery of various phishing campaigns as well as lists of new domains using the same UID.
We are yet to see how phishing will change, most certainly in an evolving pattern, in 2020.