A report from security firm Akamai found that hackers were using analytics services to optimize their phishing efforts.
According to Akamai researcher Tomer Shlomo, about 56% of all internet websites use web analytics, giving phishing kit developers ample opportunity to access troves of detailed reports with a variety of statistics like page views and geo-locations as well as other general user behavior information.
“As phishing has evolved over the years, criminals have learned that technical markers, like browser identification, geo-location, and operating system, can help adjust the phishing website’s visibility, and enable more granular targeting,” Shlomo wrote in the report.
“In order to evaluate these metrics, kit developers use third-party analytics products, such as those developed by Google, Bing, or Yandex, to gather the necessary details,” he added.
Framework developers, who make up a large portion of the phishing ecosystem, buy kits that help them steal credentials and gain access to private data. In order to make these attacks more effective, these developers are looking to build efficient attack flows.
Shlomo explained that this attack flows should be simple, like opening an email or clicking a link on a social media post, visiting a phishing website or completing the attack by sharing data like passwords.
These analytics help hackers hone in on specific people and tailor their phishing attempts to specific areas or devices. Attacks targeting AirBnB and LinkedIn users were augmented by analytics that gave hackers more granular user information for easier targeting.
“Akamai scanned 62,627 active phishing URLs of which 54,261 are non-blank pages that belong to 28,906 unique domains,” Shlomo added.
“We discovered 874 domains with unique identifiers and 396 of the unique identifiers were unique Google Analytic accounts. Moreover, 75 of the unique identifiers were used in more than one website,” he said in the report.
The report does highlight that, ironically enough, the best defense against analytics is more analytics. To help address phishing attacks like this, security teams should use many of the same tactics as their adversaries in order to understand the full reach of phishing campaigns and take steps toward tracking or locating attackers.
“Analytics is just another brick in the phishing industry wall, representing the operational side used by developers to improve kits and gather stats on campaign effectiveness. Overall, what we’ve shown here is another instance where criminals abuse legitimate services for malicious purposes,” Shlomo said.