You've successfully subscribed to Adlive Content Hub
Great! Next, complete checkout for full access to Adlive Content Hub
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.
How Fraudsters Hijack Old Analytics Code To Steal Data

How Fraudsters Hijack Old Analytics Code To Steal Data

All brands face fraud. But the threat is especially significant for those who are still running the previous version of Google Analytics.

According to a recent blog post by Dr. Augustine Fou, a researcher who studies ad fraud and attribution theft, websites that are running older versions of Google Analytics (GA), such as the now-defunct Universal Analytics (UA), are wide open to ad fraud and attribution theft due to their inability to track 3rd party data sent via cookie syncing or non-cookie mechanism like URL parameters.

Dr. Fou says anyone with an interest in manipulating the data on these older versions of Google Analytics could easily take advantage of these vulnerabilities because there is very little in the way of security measures protecting this data.

As marketers and agencies become more involved with cybersecurity, it's important to understand the vulnerabilities of in-house web measurement systems - they're not as secure as many assume.

Ad fraud is a huge global economic crime. The latest figures from Juniper Research suggest digital advertising spend lost to ad fraud will reach $68bn globally this year. That stunning figure represents an acceleration from an earlier estimate in 2017 of $44 billion by the middle of this decade.

The problem is that many and perhaps most organisations have not upgraded to GA4, he says.

According to Fou, “Marketers [want] to see if their digital campaigns drove any traffic and what the bad guys can do is make it look like there was traffic so it appears that the digital campaigns were working.”

Originally fraudsters would generate fake traffic with bots, but that takes up time, resources and bandwidth, and crooks have busy lives. So instead, savvy fraudsters realised they could get the same result by just manipulating the analytics to make it look like the brand received the traffic, said Fou.

Fraudsters do not need to log in, but instead, they can exploit a design feature of the original Urchin Analytics (UA) product acquired by Google in 2005.

Design flaw lets attackers manipulate analytics data by leveraging the JavaScript code originally written by Google.

“They are simply writing data into a particular UA code, and then it shows up in your account.”

Fou said that prior to the release of GA4 in late 2020, there was an ability to pass data into the analytics platform as long as the bad actor had the UA number.

Businesses lose millions—or even billions—of dollars each year because they’re paying to reach audiences that don’t exist or rewarding fraudulent operators who steal attribution and capture a share of the sale.

But it doesn’t have to be this way.

Infraud is changing how fraudsters think about their business, forcing them to pay for verified traffic, and making it impossible for them to create new accounts and spin up new sites with stolen credit cards. This creates a stable marketplace where merchants only pay to reach real customers, thereby dramatically reducing the cost of digital marketing.

If you want to secure your brand safety, get a free assessment from our expert specialists today at Adlive today!