Tracking shady hosting providers by Google Analytics UID’s

Often there are times that you come across a site and are unsure if it is the same or under the same umbrella as another site. This can be common with multiple scam or spam sites that are set up as quickly as possible and have a similar appearance.

Sometimes you just want to see if the site is owned by the same person but the WHOIS info is set to private. This solution is geared only to sites that use the highly popular Google Analytics engine.

For those of you who dont know Google Anylytics is a free solution that allows you to track users coming and going from your site, it will log City, Country, Refferal, and a number of other metrics. What users dont know is when they deploy the code accross multiple sites the UID is the same but there is a single digit appended to the end. How can this be useful? Let me show you!

Here is an example of a normal google anylytics code snippet that should be on every page of your website. For this example I have replaced my own UA- code (the unique code google assigns to you) with UA-123456789. See the code below.

<script>
(function(i,s,o,g,r,a,m){i[‘GoogleAnalyticsObject’]=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,’script’,’//www.google-analytics.com/analytics.js’,’ga’);

ga(‘create’, ‘UA-123456789-6‘, ‘auto’);
ga(‘send’, ‘pageview’);
</script>

Pretend this code is on the source of examplepage.com Looking here we can see Analytics user UA-123456789 is currently tracking you on their site. If you were to go to scamsite.com and viewed source on that site and happened to come across the same UA-123456789 ID in the anaylytics section it would be fair game to assume that they are the same user tracking stats, unless they share an Google account, but that would be weird.

So how can we use these number to attempt to find out how many properties the owner has? Simple! at the end of the code you will see a number appended to the end of the UID. Refer to the example above.

ga(‘create’, ‘UA-123456789-6‘, ‘auto’);

This shows us that the user has registered up to 6 sites under the UA-UID for analytics.  This does not however prove that they still have 6 sites around but rather at one point they either messed up and made a new tracking code or happen to have it running across 6 sites.

Ok cool, I can guess how many sites my competitor / the user has. But how can I find the other sites? Simply by putting the UA- number in without the appended -digit into google you can get basic results leading to other properties owned by the user.

Ok ok, but why is this important.
The world of web indexing is getting smarter. Indexers not only crawl sites but the very raw html content they contain. Services like cuestat.com are already linking owners by anylytics UID’s and it wont be long before more do too. And you dont want to be the guy who is caught hosting yourname.com as a vanity site and freemovies-for-download.com with the same UID-1236456789-x ID when the MPAA comes calling.

*Note all sites are fictitious in this article, do not attempt to visit yourname.com or freemovies-for-download.com unless you want to. I know I have not.

Update 2015-10-27: Looks like Vice’s blog Motherboard used similar methodology on their post today when tracking down scammers who were using their face. They used a utility to do the discovery automatically but the thought process is the same.

Leave a Reply

Your email address will not be published. Required fields are marked *