defending your google brand reputation and analytics reports

DEFENDING YOUR GOOGLE BRAND REPUTATION AND ANALYTICS REPORTS WEBINAR

Alycia Mitchell| @artdecotech #AskSucuri

KRISTEN THOMAS Community Manager Community Engagement Team @kdthomas327



HOUSEKEEPING ITEMS

● Poll questions on your screen

● Q&A

● Place questions in Q&A box

● Ask questions right away

● Use #AskSucuri on Twitter to engage

● Questions will be answered and delivered post-webinar

● Brief survey at the end of the presentation

● Presentation video



WEBINAR

• Marketing Analytics & SEO Specialist at Sucuri

• Data geek and cybersecurity enthusiast

ALYCIA MITCHELL



WEBINAR

Victoria, BC (Canada)



WEBINAR

Cybersecurity & Online Marketing

• 7 years working in cybersecurity and marketing communications

• 6 years studying in related fields • English Honors Program at University of Victoria

• Technical Communication at Simon Fraser University

• SEO & Web Analytics at British Columbia Institute of Technology



WEBINAR

My Dog

• Moonshine

• Black lab

• 3 years old

• Loves the beach

• Gets me AFK



WEBINAR

Overview of Sections

• Fix Google Analytics spam

• Repair Issues in Search Console

• Identify Indicators of Compromise (IoC)



WEBINAR

Fix Google Analytics Spam Bad referrers and ghosts in your data



WEBINAR

Is Google Analytics Data Vulnerable?

How GA Collects Data

• Your unique UA code collects your data

Problem?

• There are only so many possible UA codes

• It’s easy for someone to copy your UA code

• Your UA code is visible in your source code



WEBINAR

How do spammers send invalid data?



WEBINAR

Scenario 1: Evil Clone

How they do it • Set up a bad site with your tracking code installed

• Send hits to the bad site

• Your tracking code fires with each hit to the bad site

• These hits are sampled in your reports

• Your website is never actually touched in the process

They don’t need to set up a bad website though….



WEBINAR

What is the Measurement Protocol?

The Google Analytics Measurement Protocol allows developers

to make HTTP requests to send raw user interaction data

directly to Google Analytics.

This allows developers to measure how users interact with their

business from almost any environment.



WEBINAR

Scenario 2: Internet of Things

How they do it • Write a script with GA Measurement Protocol

• Send hits to your Google Analytics UA code

• GA collects the data in your reports

• It’s fast and easy to automate

• Can send any payload – events, ecommerce, etc



WEBINAR

A colleagues on the marketing team

It took a total of about 10 minutes and less than an hour to send over 5 million fake hits to GA accounts

• Ran one line of code

• Sent 500,000 hits/minute (could be more with a bigger server)

• Hit every single UA code a few times

They don’t always use your UA code to pollute your data though…



WEBINAR

Scenario 3: Bad Bots

How they do it • HTTP request headers give your server data about every visitor

• These headers are collected by GA for Acquisition data

• Program a crawler or command a botnet that visits your site

• Spoof the HTTP headers with fake data

• Set a spam website as the HTTP referrer

• These spoofed websites show up in your Referral reports



WEBINAR

How do you find the invalid data?



WEBINAR

Finding Ghost Referrer Spam

• Hostnames are domain names sending data to your GA account

• i.e., blog.example.com

• Every site using your UA code has a unique hostname

• Easy to identify which sites are yours and which are not

• Invalid hostnames are ghost referrer spam

• Removing invalid hostnames solves Scenario #1 and #2

• These hostnames show up as a dimension in GA reports



WEBINAR

Reporting Audience > Technology > Network Hostname as Primary Dimension Look for any domains that you do not own – these are ghost referrers



WEBINAR

Finding Bot Referrer Spam

• Referrers are sites where visitors clicked links to get to your site

• HTTP Request Header with the referrer set are collected by GA

• These referrers make up the Channels in GA reports

• Any site that did not send legitimate visitors are bot spam referrers

• Bot spam referrers are difficult to identify among legitimate ones

• Removing spam referrers solves Scenario #3



Reporting Acquisition > Referrals Look for spam sites that shouldn’t be sending traffic to your site There are lists of common referral spam that you can look for



WEBINAR

How do you remove the invalid data?



WEBINAR

Get Rid of Google Analytics Spam

To remove from future reports

• Apply a filter to your Views include only valid hostnames • This modifies all data going forward!

• Apply a filter to your Views exclude spam referrers

• Set an annotation in Google Analytics • This reminds you when the filter was applied.

To remove from past reports

• Create segments of valid hostnames and spam referrers •View past data without the invalid hostnames



WEBINAR

Raw and Test Views

• You get 25 views for every property in your Google Analytics account

• Views allow you to add filters to change how data is processed

• Once you add a filter it alters the data forever for that view

• Use a new view to test any new filter before applying it to your main views

• Always keep at least one view completely unfiltered

• Ideally create another backup view with basic filters and goals too



WEBINAR

Set a Ghost Filter

• Admin > View > Filters

• New Filter (use test view first!)

• Create New Filter

• Filter Type: Custom > Include

• Filter Field: Hostname

• Filter Pattern: ^www.site.com$|^blog.site.com$|^www.etc.com$



WEBINAR

Set a Ghost Segment

• Reporting > Add Segment

• New Segment

• Advanced > Conditions

• Session > Include

• Hostname: domain.com

• AND (add all valid hostnames)

• Apply the Segment as needed



WEBINAR

Filter and Segment Bot Referrers

• Same process: filter to protect future data and segment to fix past data

• Instead of including only good referrers, exclude the bad ones

• It is useful to use lists online of known bad referrers

• Use a tool like referrerspamblocker.com to import segments and filters

• Always use a test view first for any filters you apply to your data



WEBINAR

Repairs in Search Console Blacklists, Crawl Errors, and SEO Spam in SERPs



WEBINAR

Dealing with Google Blacklist

• Google Search Console (aka Webmaster Tools)

• Security Issues section shows any warnings

• Google will blacklist your site if it’s infected

• Your search results will be labeled as hacked

• Blacklisted sites lose at least 95% of their traffic

• Once your site is clean you can request a review



WEBINAR

404 Errors in Search Console

• After removing spam, Google may think those spam pages are legitimately missing

• These show up under Crawl Errors > Not Found

• You can use the Google URL Removal Tool under Google Index > Remove URLs

• Temporarily Hide and enter the 404 URLs

• You can also use robots.txt to tell Googlebot not to crawl spam directories



SEO spam is one of the most common website infections that we deal with at Sucuri

You can scan your website with our free tool

sitecheck.sucuri.net We also check for blacklists, outdated software, code anomalies, and known malicious payloads

Scanning for Website Security



WEBINAR

SEO Spam Impacts Visitors and Traffic

• Your page titles and descriptions help Google to rank your site

• Changing with these can impact your ranking position

• If your site is infected, make sure to check your search results….

(For SEO best practices, check out our friends at Yoast and WPBeginner.)



WEBINAR

SEO Spam in Search Results

• Website infections can alter your SEO metadata

• This changes titles and descriptions

• Shows up in Search Engine Results Pages (SERPs)

• Not automatically fixed when malware is removed



WEBINAR

Recrawl Site in Search Console

• Crawl > Fetch as Google

• Enter your homepage

• FETCH

• Submit to Index

• Crawl this URL and its direct links



Will need to be done for any infected pages not linked from the homepage.



WEBINAR

Indicators of Compromise Bots, Injections, and Attacks in Google Analytics



WEBINAR

Custom Alerts in Google Analytics

Google Analytics can send email and mobile alerts for specific changes.

For example

• Drop in revenue could indicate a shopping cart compromise

• 404 errors could indicate a spam campaign

• If Pageviews spikes, but Users and Sessions don’t correspond, it could be bots



Admin Under View column Custom Alerts



WEBINAR

Malicious Request Parameters

• Your site likely uses legitimate queries • search bars, UTM campaigns, etc.

• These queries show up after the main page path • example.com/page.php?s=search-term

• Injections happen when attackers escape the query parameter • example.com/page.php?url=search-term' union insert "malicious admin" into users

• Unfamiliar or strange parameters could indicate attack attempts

• Search for potentially malicious commands in query parameters: • SQL Injection: SELECT, INSERT, UPDATE, DELETE, EXEC, UNION, etc.

• XSS: onload, onmouseover, onclick, alert, etc.

• LFI: file://



LFI

XSS



WEBINAR

Common Vulnerable Spots

• Keep an eye out for hits to your login page and other secret areas of your site.

• Go to Reports > Behavior > Site Content > All Pages

• In the search bar, enter any page that should be hidden to visitors. •ie. wp-admin, wp-login

• If you are getting a lot of visits it could indicate brute force attacks.

• Malware campaigns often target specific locations on your website.

• Stay on top of website security news!



WEBINAR

• Questions?

• Tweet us @sucurisecurity #AskSucuri

• Find me @artdecotech

THANK YOU!

defending your google brand reputation and analytics reports

Small Business & Entrepreneurship