Detecting and tracking phishing campaigns through web analytics identifiers

Cyber crooks are quick to abuse legitimate services for their own malicious purposes. One of the latest instances demonstrating this propensity involves phishing kit developers using web analytics to collect statistics on campaign effectiveness – information that helps them to continually improve their kits and keep up with demand.

But web analytics can also help defenders understand the full scale of a phishing campaign and mount takedown actions quickly, Akamai researchers noted.

Google Analytics is, by far, the most popular choice for site owners who want to see how visitors behave on their site (How did they end up on the site? How long do the stay? How many and which pages they visit?), what OS and browser they are using, where they are located, and so on.

Alternatives include analytic tools/solutions by Microsoft, Yandex (Yandex.Metrica), etc.

Most websites on the Internet are using web analytics these days but, as it turns out, many phishing pages also collect information about visitors’ activities.

Akamai researchers have scanned 62,627 active phishing URLs on 28,906 unique domains, and found that 874 domains contained a web analytics UID (a unique identifier that is assigned to each web analytics service customer).

Of those, 396 of the UIDs were unique Google Analytics accounts and 75 were used in more than one website.

So they’ve analyzed the source code of these websites and discovered that some of the sites contained analytic IDs set by the framework developer to monitor the victim’s movement through the phishing website.

But they also encountered:

• Instances of phishing websites having been sinkholed by the targeted company and redirecting to their legitimate login site (these contained the company’s legitimate web analytics UID)
• Phishing websites containing the targets’ legitimate analytics UID, which was there because phishing kit developers have copied much of the original website’s source code and forgot to remove it.

Using the UIDs to track and take down phishing sites

“These results led to the discovery of various phishing campaigns as well as lists of new domains using the same UID. For example, UA-3242811 is an old analytic network, related to LinkedIn. It was also used recently for targeting LinkedIn users, between April-July this year,” Akamai researcher Tomer Shlomo explained.

“The campaign registered many misleading domains to lure its victims, but each domain hosted a different variation of the phishing kit’s source code, making it hard to detect them all without the Google ID.”

Similarly, the phishers’ reuse of an UID associated with an analytic network targeting AirBnB logins made their phishing attempts “standout like a beacon” despite the detection evasion techniques they employed.

“If an attacker uses a target’s actual UID, as mentioned, they’ll stand out like a beacon, but the real leverage for using UIDs is when you spot the ones used by criminals themselves,” he noted.

“But when a criminal uses their own UID, they do so across all of their kits, so not only is it possible to track a single phishing campaign, it is sometimes possible to track multiple campaigns at once and tune defenses accordingly.”