Brands on older versions of Google Analytics face higher fraud risks

Websites operating older versions of Google Analytics (pre GA4) are susceptible to ad fraud and attribution theft according to an international ad fraud researcher.

Dr Augustine Fou says cybersecurity leaders need to be more involved with marketers and to better understand the vulnerabilities of web measurement systems.

Ad fraud is a huge global economic crime. The latest figures from Juniper Research suggest digital advertising spend lost to ad fraud will reach $68bn globally this year. That stunning figure represents an acceleration from an earlier estimate in 2017 of $44 billion by the middle of this decade.

• Digital Ad Fraud to hit $US68B this year: Juniper Research

Brands lose money because they are paying for audiences that don’t exist, or rewarding fraudulent operators who steal attribution and capture a share of the sale.

The problem is that many and perhaps most organisations have not upgraded to GA4, he says.

According to Fou, “Marketers [want] to see if their digital campaigns drove any traffic and what the bad guys can do is make it look like there was traffic so it appears that the digital campaigns were working.”

Originally fraudsters would generate fake traffic with bots, but that takes up time, resources and bandwidth, and crooks have busy lives. So instead, savvy fraudsters realised they could get the same result by just manipulating the analytics to make it look like the brand received the traffic, said Fou.

Bad actors do not need to log in, but instead, they can exploit a design feature of the original Urchin Analytics (UA) product acquired by Google in 2005.

Fou said that prior to the release of GA4 in late 2020, there was an ability to pass data into the analytics platform as long as the bad actor had the UA number. 

He said attackers could use python script for instance to write data into a brand's GA platform. Importantly none of this requires the fraudster to be logged in. 

“They are simply writing data into a particular UA code, and then it shows up in your account.”

Rami Alcheikh, growth marketing manager for St Trinity Property Group which has moved the GA4 told  Digital Nation, "It is very easy to have a bot or a script sending hits to the analytics server to generate fake traffic."

However, he said GA4 is really about adjusting to new realities as it addresses analytics from a different perspective reflecting changes in privacy settings in browsers and also the reality of a world without 3rd party cookies to drive adtech."

"What GA four allows you to do is essentially work with your first-party data, " 

According to Alcheikh, it provides access to features that one would expect from GA 360, Google's premium product.

Installed base vulnerabilities

Meanwhile Fou told Digital Nation that brands who are still using earlier versions of Google Analytics lack the most basic form of cybersecurity. 

“It wasn't until GA four that they added API keys, where you have to have the right key before you can write it not just the UA code, which identifies the account.”

Previously finding the key was as simple as viewing the source code.

He also outlined a more sophisticated form of fraud that allows bad actors to claim credit for e-commerce purchases, so-called attribution fraud.

In affiliate marketing brands pay out a revenue share based on the sales generated by the affiliate. 

“So what do you think the partner does, if they're a cheater, the partner basically pretends that those sales are caused by them, so they get their five to 10 percent revenue share on it when they're not actually supposed to."

“They're simply claiming credit for sales that had happened by themselves, without their assistance.”

It might take a customer 20 steps to get to purchase, the bad actor just exploits the Google Analytics vulnerability and inserts itself into the process as the 21st step and calls credit for the sale, according to Fou.

Indeed this was the basis for a famous ad fraud case in the US in 2016 where adtech companies Criteo and Steelhouse sued each other, each accusing the other of outright click fraud, says Fou. They settled before the case went to discovery.

Lack of discipline

There is a lack of discipline around the basic processes which contributes to the problem said Fou.

“Cybersecurity folks really need to help out marketing tech a lot more than they are. And the reason for that is in my line of research, which is about ad fraud, a lot of the fraud is now generated by malware on devices. So for example, now we're on a PC, it is trivial for that malware, the software programme, to act in the background. And it's basically either loading web pages or loading ads and using bandwidth, and using computing resources. And the person doesn't actually know that's happening."

Likewise on mobile devices.  “So say, for example, the person downloaded a flashlight app. But the flashlight app contains malicious SDK software development kits. So that code can again call ads, call web pages and do a bunch of nefarious stuff in the background.”

The other problem with mobile phones is that people don’t turn them off at night. “The phones always have an internet connection. So for the bad guys, it's highly lucrative for them or highly desirable for them to put malicious code into mobile apps because then they can run ad fraud all day long.”

Clarification: GA4 was released in late 2020. Due to an editing error, this was originally reported as late 2022.

We have reached out to Google for comment and will update the story accordingly.