Google Analytics as an effective tool for cybercrime data theft

Google Analytics is not only useless to many, but potentially damaging to any website. Google Analytics makes data theft easier than ever before because it allows data to be sent to hackers' data pools.

Introduction

Cybercrime is a growing industry. Whoever can plunder credit card data or other sensitive data can use these data to make a profit from it. With Google Analytics, the popular analysis tool by Google, data theft becomes even easier.

To understand this, it helps to take a look behind the scenes. A cyber attack on a website often follows this pattern:

1. Malicious program logic is smuggled onto the website
2. The malware reads data from website visitors, for example from forms
3. The data read is sent to a dedicated server to be exploited there.

The third of these steps often fails mainly because browsers or local firewalls block many data transfers. With Google Analytics, this problem can be almost completely eliminated for the hacker.

Methods for stealing data

A common method for stealing data from a third party is to lure the victim onto a prepared website. Ideally it's a website known to the victim. Attacks that copy well-known websites or are based on self-hosted websites should not be considered further here.

Would you not also give your password or credit card details in an online shop if you know the shop, trust it, and are asked for them?

But how is a third-party website prepared in such a way that it can transmit data to an unknown party?

To this end, hackers exploit weaknesses in the program logic in the frontend (browser view of the website) or backend (software running on the server). Well-known representatives of attack methods are:

• SQL Injection
• Cross Side Scripting (XSS) / JavaScript Injection / HTML Injection
• Security gaps in server codes / backdoors
• Session Hijacking

For example, a JavaScript snippet can be injected into a website using a prepared link. The prepared link is sent to the victim. If the victim clicks on the link, the known website is called up. In addition, a malicious code is executed unnoticed on the website via the prepared link.

If a malicious code is successfully smuggled onto a website, the recorder is ready for use. It now only has to record and send the data obtained to the criminal.

How hacking works with Google Analytics

What's closer than sending the captured data to its Google Analytics Account?

The benefits of Google Analytics from a hacker's perspective are enormous. The domain google-analytics.com is often freely allowed for data transfers in itself. On a website that uses Google Analytics, a data transfer to another analytics account does not catch the eye of an amateur. Even professionals would have to look very specifically to detect an exploit.

With Google Analytics, any data can be sent to a personal data pool. For example, parameters or the Referrer URL are used, to which values can be attached unnoticed. It's easy to encrypt or encode the data before sending it with Analytics. So, the data flows are only difficult to detect.

Sending data over Google Analytics even works in what is called Consent Mode by Google. If the user has not yet consented, Google Analytics still sends a so-called Ping to Google servers. The Ping is equivalent to a normal tracking event. The difference is that the data does not land in the Analytics data pool. The way out for hackers is to set the parameter gcs with an appropriate value if the website actively uses Consent Mode.

If the hacker wants to know if their attack was successful, they simply log into their Google Analytics account and check the dashboard to see what data has been recorded. With the export function and the Analytics Reporting API, data can even be grabbed in large quantities and very comfortably.

Since so many websites use Google Analytics, there is a high chance for hackers to find this effective and hard-to-detect mechanism of data misuse.

Recommendations

Less is more. On average, less program code means fewer vulnerabilities. Securing existing program code is time-consuming. Interfaces (client calls server) are particularly vulnerable. If you want or need to go deeper here, you should expect higher costs.

Without Google Analytics a website is safer than with this tool. I regularly wonder who can increase their sales using Google Analytics. First, Google comes to mind. Second, larger companies with high advertising budgets come to mind. It's hard for me to believe in the miracle of money-making through Google products at small and medium-sized businesses.

I don't want to continue this marketing discussion here. However, some constructive conversations with online marketers have shown me that usually a significant effort and a significant amount of knowledge as well as a significant budget are required for Google products to really pay off for a company.

You can clearly see when online advertising doesn't work directly. In stark contrast to print advertising, where a lot of guessing begins after publication. However, many don't want to know that an advertising measure has failed, but rather that the measure was successful. In this context, some excellent conversions over print advertising, online articles or personal contacts come to mind, but not a single excellent conversion over online advertising. I say that as someone who had a lot of experience with Google Ads and Facebook Advertising before the introduction of the GDPR.

Before using Google Ads or Google Analytics as a wonder drug, one should first try simpler, more conventional means that are legally