iMyFone LockWiper

iMyFone LockWiper

Helps you bypass the iPhone passcode in case you forgot it and the device became unusable or you have to wait for a long time before attempting to unlock it again

FULL VERSION + CRACK
Voicemod

Voicemod

Real-time voice changer that works with any application and comes equipped with an extensive collection of voices and ambient effects

FULL VERSION + CRACK
Flvto Youtube Downloader

Flvto Youtube Downloader

With this simple and intuitive application, you can swiftly download all your favorite online videos to your computer, in just a couple of moves

FULL VERSION + CRACK
Logic Pro X

Logic Pro X

A fully-featured recoding studio that provides a complete set of tools for musicians who need to write, record, edit and mix music

FULL VERSION + CRACK
Internet Download Manager (IDM)

Internet Download Manager (IDM)

Push your Internet connection to the limits and cleverly organize or synchronize download processes with this powerful application

FULL VERSION + CRACK

IT News

Nov 15
The newly discovered Pipka script can delete itself from a website after execution, making it very difficult to detect.
Nov 15
Jamf has built a unique event that digs deep into the community it serves and echoes the big shows Apple used to put on.
Nov 15
Enterprises will soon have access to Azure Arc and Azure Synapse Analytics, two new services that bolster Microsoft's cloud offerings.
Nov 15
The latest version of Windows 10 is little more than a rerun of the May version of the operating system, though it does offer a few new features.
Nov 14
On the same day it unveiled its newest laptop, the company also announced that the new Mac Pro will ship in December.
Nov 13
The software, initially designed to help IT teams track and resolve service requests, can now be configured for use in non-tech areas such as HR and legal.
Nov 13
IBM, which has embraced Apple hardware in a big way, says the employees who use Macs are more likely to stay at the company - and are more productive. The insights came at this weeks Jamf Nation User Conference.

Categories

Defenders can discover phishing sites through web analytics IDs

An increasing number of phishing websites use web analytics services and have unique tracking IDs in their code, security researchers have found. Whether intentional or accidental, the use of such IDs can help defenders discover phishing pages that are used across large attack campaigns.

Researchers from content delivery network Akamai analyzed a set of 54,261 active phishing pages served from 28,906 unique domains and found that 874 domains had web analytics IDs associated with them. Around 396 IDs were from Google Analytics and 75 were used across multiple websites.

Web analytics services assign unique user IDs (UIDs) to customers to track how visitors interact with their websites and to collect information about their browsers, operating systems, geo-location and other details. Such data is important for site owners because it helps them understand their audience's behavior and adapt their content accordingly, which is why it's estimated that over half of the websites on the internet use some form of web analytics.

Cybercriminals also understand the value of this data to gauge the performance of their attacks and achieve more granular targeting. As such, the creators of phishing kits - commercial tools that are used to set up phishing sites - have started to incorporate web analytics into their products and often rely on the same analytics services that legitimate websites use.

In some cases, the presence of unique UIDs on phishing pages can be accidental and a result of attackers failing to remove legitimate UIDs when scraping and duplicating websites.

UIDs a beacon for defenders

Attackers rarely impersonate just one website or set up just one phishing URL. Instead, phishing attacks are often part of large campaigns that target multiple websites at once and are made up of phishing pages distributed across multiple domains to bypass detection and withstand takedown attempts.

For example, if an organization's security team manually blocks a phishing URL that was reported by an employee after a rogue email made it past the corporate spam filter, it doesn't guarantee that the whole attack against the company has been thwarted. Another phishing email received by another employee could have a different URL, even if it's part of the same campaign. Automated URL blacklisting solutions also rely on intelligence feeds from security vendors and they are updated only after vendors detect the attack campaigns and identify the malicious URLs that are part of them.

The use of the same analytics UID across multiple phishing pages can, however, be easily used by defenders to create a detection signature or web firewall rule that blocks all pages from the same campaign. This can be useful to both security vendors and enterprise security teams.

Furthermore, if attackers make the mistake of leaving a cloned website's legitimate analytics UID in their phishing pages, the owners of the impersonated websites can track them down and report them to domain registrars as they will likely get reports in their analytics accounts about user traffic on those pages.

"Analytics help criminals focus on victims and narrow their attack to a given area or device type," the Akamai researchers said in a report released today. "It isn't at all uncommon to see a phishing attack target iOS devices while, for example, ignoring Android; sometimes this is due to the fact that the criminal has been tracking the most common users to their page and knows that Android users are less likely to be victimized. But when a criminal uses their own UID, they do so across all of their kits, so not only is it possible to track a single phishing campaign, it is sometimes possible to track multiple campaigns at once and tune defenses accordingly."

UIDs already used to discover phishing campaigns

Akamai provided two examples where the use of web analytics UIDs on phishing pages allowed its researchers to identify much larger campaigns. One was a campaign that targeted LinkedIn users and used many misleading domains that all shared the same Google Analytics UID, which was probably added by the phishing kit's creator. The second was a campaign targeting AirBnB users that used subdomains on 000webhostapp.com, a legitimate site hosting service. The second campaign used the original AirBnB web analytics UID, which allowed the malicious subdomains to be easily identified.

"Enterprise security teams can track their own analytic UIDs that are being used in the wild as the result of their website content being copied for building phishing website," Akamai Security Researcher Tomer Shlomo tells CSO via email. "Security researchers and security vendors will use phishing Toolkit UIDs which will give them the ability to track other phishing websites and the ability to assess the scale of the campaign or find other phishing activities deployed by the same threat actor."

This story, "Defenders can discover phishing sites through web analytics IDs" was originally published by CSO.