Most reports of malware being found in Google Analytics code are largely inaccurate. Hackers sometimes use trick URLs that can fool the eye into believing that they are Google addresses. Even so, there is at least one case of a Google Analytics code being classed as malicious, by Google themselves!
What is Google Analytics?
Google Analytics is everywhere. Basically, Analytics is a common tool for tracking the success of websites. Many webmasters use Google Analytics to track website visitor browsing habits (such as which pages are viewed most often) and build targeted revenue building campaigns.
To start using Google Analytics, a webmaster must first sign up for a Google account if they do not already have one. Once accepted, web developers are given a unique script to add to their website, such as the footer, which is available on every page.
With the Google Analytics script on every page, browsing habits can then be recorded.
Hijacking Google Analytics Code
Website hackers no longer break into a website and replace it with a site of their own. Instead, the modern hacker hijacks a website by injecting their own code, either via spears (exploiting weaknesses in media such as Flash, for instance) or by gaining access to the admin account for the site. The website is then altered very slightly – often by making an amendment to the block of Google Analytics code.
The result of this is simple. Google Analytics does what it is supposed to do. The hacker’s own code runs while the website continues functioning, apparently with no changes. The website owner has no idea that their site is hosting malicious scripting and posing a security risk.
Consequences of Malware in Google Analytics
Put plainly, Google Analytics isn’t malware. However, it can be incorrectly designated as malware (see False Positives, below) by your security software.
Moreover, purveyors of malicious code have begun using URLs in the scripts hidden in hacked websites that resemble Google Analytics addresses.
The correct address (visible by right-clicking on a blank area of a web page that you suspect uses Google Analytics and choosing View Source from the context menu) should be google-analytics.com
Hackers use fake URLs that resemble this correct one. The fake URLs include:
Note how they use subtle alterations in the spelling. The last example uses a “q" in place of the second “g" of google.
The result of this is that security software can appear to be highlighting Google Analytics as malware, when in actual fact it is reporting one of these spoof URLs.
Unfortunately, this isn’t as simple as keeping an eye out for fake URLs that your anti-virus or anti-malware tool detects as being something that isn’t quite Google.
Google themselves have even reported Google Analytics (google-analytics.com) as malware, which is potentially embarrassing but apparently down to an incorrect identification by Google’s own Safe Browsing diagnostics page.
This is what is known as a false-positive. The result is incorrect, but as far as the tool creating the result is concerned, it is absolutely right. In the event, Google revealed that they would be developing their Safe Browsing tools to provide more useful answers to end users and develop the service to avoid further errors.
See unmaskparasites.com for more on this.