Hackers Deploying Analytics for Better Phishing Aim
"Cyberattackers often make use of commercially available tools and techniques as well as their dark web kits."
Cybercriminals use analytics to attack specific areas or device types. To evaluate the metrics, kit developers use third-party analytic products, such as those developed by some popular web search engines.
That is a finding from blog from Cambridge, Mass.-based content delivery network and cloud security solutions provider Akamai that using these analytics from a defender’s point of view can assist in understanding the full scale of a phishing attack in some cases.
“Phishing is an ecosystem of mostly framework developers and buyers who purchase kits to harvest credentials and other sensitive information,” Tomer Shlomo, Akamai security researcher, wrote. “Like many framework developers, those focusing on phishing kits want to create an efficient attack flow on their framework, from opening an email or clicking a link on a social media post, to visiting the phishing website, to completing the attack by sharing information, such as passwords.”
Shlomo noted as phishing has evolved over the years, criminals learned that technical markers, like browser identification, geolocation, and operating system, can help adjust the phishing website’s visibility, and enable more granular targeting. “In order to evaluate these metrics, kit developers use third-party analytic products, such as those developed by Google, Bing, or Yandex, to gather the necessary details.”
Currently, 56.1% of all websites employ web metrics, with Google Analytics coming in as the foremost platform, the blog specified. Most websites use analytics for producing reports on user behavior, page views, and navigation through the site. These statistics also offer detailed user technical metrics such as operating system type, location, and browser type.
The report pointed out that analytic networks, tied to the back-end server, receives events from every page and summarizes them into reports presented to the customer. A unique identifier recognizes each customer.
Akamai scanned 62,627 active phishing URLs, 54,261 of them non-blank pages belonging to 28,906 unique domains. “We discovered 874 domains with UIDs and 396 of the UIDs were unique Google Analytic accounts,” Shlomo explained in the blog. Moreover, additional websites used 75 of the UIDs.
By analyzing the source code of these websites, Akamai concluded that the analytic identifiers’ presence could be related to one of the following reasons:
- Phishing re-used UID: While attempting to duplicate the original website, the developers used copying tools to download the source code, reusing the analytic ID shipped with the original code.
- Phishing kit UID: Analytic IDs set by the framework developer to monitor the victim’s movement through the phishing website.
- Legitimate UIDs: Phishing websites, sinkholed by the targeted company, now redirects to the original website.
These results led to the discovery of various phishing campaigns as well as lists of new domains using the same UID. Akamai explained grasping the complete scope of a specific phishing campaign is a recognized detection problem.
“Using analytics can help you understand the full scale of a phishing campaign, and defenders can use this data to compare with internal signatures, for a more rounded detection and remediation process,” Shlomo said. He added, “Analytical data also helps understand domain targeting approaches. At the same time, analytics are just another brick in the phishing industry wall, representing the operational side used by developers to improve kits, and gather stats on campaign effectiveness.”
Colin Bastable, CEO of security awareness and training company Austin, Texas-based Lucy Security observed, “Cyberattackers often make use of commercially available tools and techniques as well as their dark web kits. For example, the browser companies have forced website owners to deploy certificates, because of security. So, the bad guys add certs, enabling people to be robbed securely.”
Likewise, Google Analytics is incredibly useful, Bastable maintained. “Hackers are highly motivated and often smarter than the people who build defensive security technology. It makes sense that they use Google Analytics.”