Cybercriminals using Google Analytics to enhance phishing efforts

A report from security firm Akamai found that hackers were using analytics services to optimize their phishing efforts.

How sophisticated phishing grants attackers total control of your computer Phishing is all about the bad guy and fooling the victim, says Kevin Mitnick, founder, Mitnick Security Consulting. Mitnick knows about bad guys-he used to be one.

Cloud security firm Akamai released a new report on Wednesday showing cybercriminals are using Google Analytics and other tools to measure the effectiveness of phishing campaigns.

According to Akamai researcher Tomer Shlomo, about 56% of all internet websites use web analytics, giving phishing kit developers ample opportunity to access troves of detailed reports with a variety of statistics like page views and geo-locations as well as other general user behavior information. 

"As phishing has evolved over the years, criminals have learned that technical markers, like browser identification, geo-location, and operating system, can help adjust the phishing website's visibility, and enable more granular targeting," Shlomo wrote in the report

"In order to evaluate these metrics, kit developers use third-party analytic products, such as those developed by Google, Bing, or Yandex, to gather the necessary details," he added.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic Premium)

Framework developers, who make up a large portion of the phishing ecosystem, buy kits that help them steal credentials and gain access to private data. In order to make these attacks more effective, these developers are looking to build efficient attack flows. 

Shlomo explained that these attack flows should be simple, like opening an email or clicking a link on a social media post, visiting a phishing website or completing the attack by sharing data like passwords.

These analytics help hackers hone in on specific people and tailor their phishing attempts to specific areas or devices. Attacks targeting AirBnB and LinkedIn users were augmented by analytics that gave hackers more granular user information for easier targeting.

"Akamai scanned 62,627 active phishing URLs of which 54,261 are non-blank pages that belong to 28,906 unique domains," Shlomo added. 

"We discovered 874 domains with unique identifiers and 396 of the unique identifiers were unique Google Analytic accounts. Moreover, 75 of the unique identifiers were used in more than one website," he said in the report. 

The report does highlight that, ironically enough, the best defense against analytics is more analytics. To help address phishing attacks like this, security teams should use many of the same tactics as their adversaries in order to understand the full reach of phishing campaigns and take steps toward tracking or locating attackers. 

"Analytics are just another brick in the phishing industry wall, representing the operational side used by developers to improve kits, and gather stats on campaign effectiveness. Overall, what we've shown here is another instance where criminals abuse legitimate services for malicious purposes," Shlomo said.

Also see

How to become a cybersecurity pro: A cheat sheet (TechRepublic)
Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
Windows 10 security: A guide for business leaders (TechRepublic Premium)
Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
The best password managers of 2019 (CNET)
Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)

Fingerprint login authorization and cyber security concept. Blue integrated circuit with locks on background. Control access and authentication online.

 

Image: Getty Images/iStockphoto