Defenders can discover phishing sites through web analytics IDs

Many phishing websites are now using unique user IDs, and that gives defenders a signal to detect phishing attacks before they do much damage

An increasing number of phishing websites use web analytics services and have unique tracking IDs in their code, security researchers have found.

Whether intentional or accidental, the use of such IDs can help defenders discover phishing pages that are used across large attack campaigns.

Researchers from content delivery network Akamai analysed a set of 54,261 active phishing pages served from 28,906 unique domains and found that 874 domains had web analytics IDs associated with them. Around 396 IDs were from Google Analytics and 75 were used across multiple websites.

Web analytics services assign unique user IDs (UIDs) to customers to track how visitors interact with their websites and to collect information about their browsers, operating systems, geo-location and other details.

Such data is important for site owners because it helps them understand their audience’s behaviour and adapt their content accordingly, which is why it’s estimated that over half of the websites on the internet use some form of web analytics.

Cyber criminals also understand the value of this data to gauge the performance of their attacks and achieve more granular targeting. As such, the creators of phishing kits — commercial tools that are used to set up phishing sites — have started to incorporate web analytics into their products and often rely on the same analytics services that legitimate websites use.

In some cases, the presence of unique UIDs on phishing pages can be accidental and a result of attackers failing to remove legitimate UIDs when scraping and duplicating websites.

UIDs a beacon for defenders

Attackers rarely impersonate just one website or set up just one phishing URL. Instead, phishing attacks are often part of large campaigns that target multiple websites at once and are made up of phishing pages distributed across multiple domains to bypass detection and withstand takedown attempts.

For example, if an organization’s security team manually blocks a phishing URL that was reported by an employee after a rogue email made it past the corporate spam filter, it doesn’t guarantee that the whole attack against the company has been thwarted.

Another phishing email received by another employee could have a different URL, even if it’s part of the same campaign. Automated URL blacklisting solutions also rely on intelligence feeds from security vendors and they are updated only after vendors detect the attack campaigns and identify the malicious URLs that are part of them.

The use of the same analytics UID across multiple phishing pages can, however, be easily used by defenders to create a detection signature or web firewall rule that blocks all pages from the same campaign. This can be useful to both security vendors and enterprise security teams.

Furthermore, if attackers make the mistake of leaving a cloned website’s legitimate analytics UID in their phishing pages, the owners of the impersonated websites can track them down and report them to domain registrars as they will likely get reports in their analytics accounts about user traffic on those pages.

“Analytics help criminals focus on victims and narrow their attack to a given area or device type,” the Akamai researchers said in a report released today.

“It isn’t at all uncommon to see a phishing attack target iOS devices while, for example, ignoring Android; sometimes this is due to the fact that the criminal has been tracking the most common users to their page and knows that Android users are less likely to be victimised.

"But when a criminal uses their own UID, they do so across all of their kits, so not only is it possible to track a single phishing campaign, it is sometimes possible to track multiple campaigns at once and tune defences accordingly.”

UIDs already used to discover phishing campaigns

Akamai provided two examples where the use of web analytics UIDs on phishing pages allowed its researchers to identify much larger campaigns.

One was a campaign that targeted LinkedIn users and used many misleading domains that all shared the same Google Analytics UID, which was probably added by the phishing kit’s creator. The second was a campaign targeting AirBnB users that used subdomains on 000webhostapp.com, a legitimate site hosting service.

The second campaign used the original AirBnB web analytics UID, which allowed the malicious subdomains to be easily identified.

“Enterprise security teams can track their own analytic UIDs that are being used in the wild as the result of their website content being copied for building phishing website,” Akamai Security Researcher Tomer Shlomo tells CSO via email.

“Security researchers and security vendors will use phishing Toolkit UIDs which will give them the ability to track other phishing websites and the ability to assess the scale of the campaign or find other phishing activities deployed by the same threat actor."