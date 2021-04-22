



Google Analytics was born as a web server log analysis package developed by Urchin Software, which was acquired by Google in 2005. Google Analytics quickly dominated the website analytics space as site analytics software such as Web Trends and Omniture was provided free of charge. It costs hundreds of thousands of dollars. Virtually every small site and blog chose Google Analytics because they couldn’t afford anything else. Today, Google Analytics accounts for the majority of the site analytics market share (76% of the top 1,000 sites and 88% of the top 100,000 sites).

Google Analytics market share on top sites

W3Techs April 2021

Publishers, e-commerce sites, and marketers rely on Google Analytics data to make business-impact decisions. However, few people understand the vulnerabilities in Google Analytics and how they endanger them. As with any technology, certain features may be useful. However, they can also be abused by others for fraudulent gains. In the case of Google Analytics (GA), the vulnerability is that a third party can write the data simply by getting the UA identifier (published in the source code of the web page). Of course, being able to write data to GA is a feature. They even have complete online documentation to show you how to do it.

However, not requiring a password or authentication means to write data is a security loophole that has been unpatched for 16 years, despite being actively abused. Released in October 2020, Google Analytics 4 has finally added the most basic form of authentication that uses an API key before writing data. Older versions of GA loopholes remain as millions of sites take time to upgrade to GA4. While GA has many ongoing exploits, this article focuses on those that directly impact marketers and the business decisions that marketers make based on insights from Google Analytics.

Phantom Traffic-The Appearance of Traffic in GA

Site owners are often desperate for traffic-the more traffic, the better. It has spawned a large criminal enterprise that profits from selling traffic. Of course, the traffic was from bots, not humans. That’s because you can’t force a large number of people to access a particular website with a command. However, traffic buyers continued to buy it as long as they believed that the traffic came from people accessing their site. Simple Google Search purchase traffic will be hundreds of thousands of traffic sellers who can purchase traffic using 1.7 billion search results, credit cards, Paypal, or current cryptocurrencies.

In some cases, the seller of the traffic does not even send the actual bot traffic. After all, when you can trick Google Analytics into displaying phantom traffic, why spend your time creating a botnet and paying for the bandwidth costs of the bot actually loading the web page? .. This is exactly how GA is being abused, and scammers are sending false data to GA to make it appear to be delivering a lot of traffic even though they aren’t actually delivering any traffic at all. I will. The video demo below shows how this simple exploit can display more than 13,000 concurrent visitors on your site if you don’t actually have even one visitor.

Phantom Clicks and Sources-Performance Appearance in GA

Fake data written to Google Analytics can also be very detailed using the Urchin Tracking Module (UTM) parameters. This is a reversion to the author. For example, the perpetrator can write any parameter like utm_source = Facebook and GA will faithfully record it as a social visit. If the URL contains utm_medium = cpc, it will be labeled as a paid search. If referrer = google, it will be labeled as organic search. Note that in the video example above, all social traffic was fake, but marked as Instagram Stories, Facebook, and Twitter. The active page is literally a string of nonsensical letters and numbers, indicating that anything can be passed to any field in the GA. These are all examples of incorrect data written to the GA. The actual visit is not one.

This technique is also a way for fake traffic sellers to promote a service called referral spam. Instead of email spam, the most efficient way to stand in front of potential customers who want to increase site traffic is to insert data directly into GA.The screenshot below shows some classic examples like referrer = www.Get-Free-Traffic-Now[.]com. When the analyst sees it, he is curious and visits the site. Some of them will be customers of fake traffic sellers. Take a look at thousands of traffic vendors with this handy edit.

Referral spam example

screenshot

Marketers who use traffic to measure the performance of digital marketing campaigns also need to be aware of these Google Analytics vulnerabilities and how they are being exploited. Some of the performance you see in GA may be due to your bot clicking on your ad. Some of it could be phantom traffic. These exploits can remain hidden for years. But when the scammers get confused, they come to light and are clearly not genuine. For example, some marketers have seen clickthrough rates above 100%. That is, more clicks reach your site than your ad impressions. Some people have seen click-throughs to the site even after the campaign has been completely turned off. Marketers may see a lot of traffic, but they have little sales. This may be a symptom of the above problem.

If marketers include campaign names and IDs in their UTM code, they are clear and can be copied and played to make the visit appear to be from those campaigns. More specifically, the bots used in digital ad scams are tuned to click on ads at a rate of 1% to 9% to give them a performance look. The bot can actually click on the ad to visit the site or insert incorrect data into the GA to make it appear to have happened. This is usually enough to trick marketers into allocating more budget to these campaigns, as these campaigns appear to be working very well. Hopefully this answers the reason? Do marketers have a question why scammers bother to mess with my Google Analytics? Therefore, you allocate more money to the campaigns you run with them.

Phantom sales-Sale at GA

You should be sitting for this next part. For years, marketers have stepped up digital marketing to reduce waste and risk and improve performance. Some marketers moved away from paying ad impressions and paid only for clicks because of the risk of ad fraud. However, they noticed that the click was also forged by the bot. As a result, we moved from paying clicks to paying performance leads (cost per lead), installations (cost per installation), or sales (affiliate revenue sharing). However, they found that leads were easily forged and installation scams and affiliate scams (that is, cookie stuffing) were also rampant. See: How Affiliate Scams Have Evolved To Tear Performance Marketers? And one of Uber’s proceedings against advertising fraud has gone through completely, they won.

What performance marketers may not yet fully understand is that even sales can be forged. No, that doesn’t mean that bots actually pay. This form of fraud is the place where the perpetrator claims credit for the sale that has already happened or would have happened anyway. Many retailers and DTC (direct sales) brands use a form of digital marketing called remarketing. In contrast to retargeting, which targets ads to users who have previously visited your site, remarketing campaigns target ads to users who have previously purchased from your site. The theory behind it is to get users to buy again, buy more, and buy more often. However, there is a rampant form of fraud hidden in the apparent remarketing vendors who claim credit for the sale that has already taken place. How does this happen? This is achieved by exploiting a loophole in Google Analytics (which can write incorrect data to GA).

Let’s explain this with a concrete example. Consumers who have previously purchased from macys.com may buy again from the site because they know and like the retailer. For future visits, they enter macys.com to go to the site. This is called a direct visit in Google Analytics. If the user sees page 20 and completes the purchase, the purchase is organic. That is, the user didn’t see the ad, so click on the ad and buy as a result. Remarketing vendors exploit the GA feature, which allows them to write fake data. This is done on behalf of the retailer with a fake click that pretends that the user has visited the site after clicking on one of the vendor’s ads (no wonder why you don’t allow it). Do you want to tag the ad itself? ) More specifically, it records which visits led to the purchase and records the session identifier (see Extraction of cid documented by security researcher Dr. Krzysztof Franaszek). Remarketing vendors can turn a 20-page view direct visit into a 21-page view visit that looks like they clicked on a remarketing program ad by inserting an incorrect click into a particular session that ended in purchase. I will. Therefore, remarketing vendors are demanding credit for sales that have already been made.

Note that similar exploits are documented at the intersection of influencer and affiliate scams. Influencers inject incorrect data into marketers’ Google Analytics to pretend to be able to drive heavy traffic. This helps them secure paid sponsorship and affiliate marketing deals. Once secured, influencers use affiliate links to demand credit for promoting what would have been organic sales. As a result, marketers will have to pay twice for the sales that would have happened anyway. However, it is sweet and sweet Mura for influencers. And be aware that affiliate scams increased significantly in 2020 as more people got stuck and went home and dramatically increased their online shopping.

so what?

What can marketers do if they suspect that this is happening to them? Do what Kevin Frisch, Head of Performance Marketing and CRM at Uber, did. He saved millions of dollars when he discovered a scam that was stripping Uber and had a widespread cost per installation. He suspended advertising costs and continued to install the app. These were organic installations where the mobile exchange fraudulently requested credits and were able to receive CPI payments. In the slide below, the green area is advertising costs. Note that when spending was suspended, the blue line (organic sign-up) rose to the exact level of the red line (paid sign-up) before dropping. This indicates that the installation claimed to be from a paid channel was actually an organic installation instead (customers need Uber not because they saw the ad and clicked on it). I installed the app). Mobile exchanges have tricked attribution reports into falsely claiming credit for organic installations. This is the equivalent of a remarketing vendor claiming already generated sales credits by inserting fake data into their client, Google Analytics. This is also why remarketing programs seem to be many times better than any other form of digital marketing. It only looks like it is because of the scam hidden in the obvious view. Do you have the courage to stop this form of scam from being stripped from your company?

Graph of organic installation and paid installation

Uber-Public Presentation

