Tracking the Ad Trackers for OSINT OPSEC and Investigations
by Sarah Womer
Collecting entities tracking domain visitations can be helpful for OPSEC and OSINT investigations.
On January 14, 2023, I authored a LinkedIn blog post on “Domain Ads and Ad Analytics as an Information Resource for OSINT Investigations FouAnalytics PageXray for Domain Profiling a Propaganda Outlet.”
At the time, I noted-
“Typically, people will often look at Ad Analytics when visiting a domain for marketing, OPSEC risks, and privacy concerns. However, ad tracking, fingerprint canvassing, and other collection activities that can be viewed are also a resource of information for investigative collection. Just as metadata may be crucial to an OSINT investigation, so may Ad Analytics. Ad Analytics may be used for fraud investigations, Bot Detection, identifying authentication vulnerabilities between login and domain, foreign connections, domain relationships to other domains, domain profiling, and has other uses.”
Ad Trackers on a domain can be used beyond marketing for user visitation surveillance. Visitors can be tracked after they leave the domain and targeted as a part of an attack. Checking who is tracking visitors on a domain is counter-surveillance and OPSEC.
It is important to stress that the website owner or maintainer may not even be aware of the extent of the tracking, as many trackers are placed from a package of ads that are purchased through a third-party broker. Likewise, the service, such as a webpage builder or host, may have a built-in network of trackers. Easy website builders, for example, like GoDaddy, Wix, and Squarespace, may come with trackers. Site owners are able to check which third-party services are tracking on their domain but oftentimes don't. The reason for this flaw is simple: the identification and importance of that type of threat has been understated for years.
On May 11, 2023 Jonathan Pidgen at Media Analytics Global noted-
“Ad fraud is everyone’s problem, and there are very few exceptions. The majority of global brands have the same issues, so don't feel alone. You can't be blamed for something you never knew about. Let's learn together and grow together! The root of the problem is the "black box" legacy verification vendors. Their ineptitude has allowed "ad fraud" to flourish and become the "norm." The trade associations (ANA, IAB, TAG, etc.) have rubber-stamped the global epidemic of ad fraud by parroting the 1% IVT reported by legacy verification vendors.”
It is everyone's problem, as this type of fraud does not just impact marketing and branding; it impacts the consumers, customers, and visitors to a domain. In addition, tracking is sometimes a part of something larger or different than advertising. For example, what happens when a government uses browser fingerprinting and tracking as a third-party tracker on a domain? A government oftentimes has a larger budget and can buy ad-tracking technology just like a company, a charity, or anyone else. In addition, some government sites have ad tracking from third parties, which also may present security concerns.
For OSINT communities, most practitioners know that tracking is a threat to privacy and that it can compromise collection requirements. Many OSINT practitioners suggest ad blockers, malware removers, VPNs, privacy-enhanced search engines, and other options. However, unless a domain is visited with no-touch research techniques (including air gapping as an option) or a Virtual Machine with a VPN, there is still much wiggle room for error, especially when some third-party trackers that download to a computer are designed to evade blockers or may be hidden in creative ways.
Following are some compromise examples and suggestions on how to gauge tracking on a domain for OPSEC and Investigations
Scenario: Not Common But Occurs, Organizational Tracking
Much of the tracking present on the following domain is not ad tracking and is organizational tracking. Tools used in the following example include- Fou Analytics Page XRay, Domain Tools Who Is, and Webbkoll Dataskydd.
National Bugle Neo NAZI Tracking
FouAnalytics PageXRay is used first, as I have found it to be the most comprehensive out of any of the tools for showing ad tracking and malvertising on a domain. It also provides an excellent first stop for OPSEC before visiting a URL and oftentimes provides pivotal information for an investigation.
Below is a description of the tool from Dr. Augustine Fou-
“The PageXray tool is a headless Chrome browser which loads a webpage and allows the javascript to run. A headless browser is a normal browser but one that does not have a screen. These are developer tools used to automate tasks like testing a webpage to make sure it loads correctly. With a headless browser, we go beyond the static code that is visible on the page when a user clicks "views source." We record all the network calls made by the javascript and preserve the "chains" of "what called what." Then we plot these in a tree graph that shows the cascade of what calls what to reveal the shocking number of ads and trackers and other things loaded into a webpage, often without the users' knowledge.”
As of August 7, 2023 FouAnalytics Page Xray showed that visitors to the National Bugle had tracking as depicted on the following graph.
A cursory look from FouAnalytics PageXRay shows this domain had tracking from the United States and Russia. It did not show any browser fingerprinting or supercookies. Of interest is that there are two instances of ad server requests from a Daily Stormer domain out of Russia. The Daily Stormer is not an ad company or ad tracker, it is another extremist Neo NAZI domain that has been banned from multiple other locations. In this instance, confirming the location of the tracker is fairly clear as there is no intermediary tracker between the National Bugle and the Daily Stormer.
For double-checking the Daily Stormer’s Russia location, there are options. In this instance, a basic WHO IS was conducted with Domain Tools. The WhoIs reconfirmed a possible Russia connection to the tracking domain of Daily Stormer that can be further investigated. A simple Search Engine query of the domain name “dailystormer.in” and Russia provided a VOX 2017 article,”Neo-Nazi site Daily Stormer resurfaces with Russian domain following Google and GoDaddy bans”, by Aja Romano stated that the domain resurfaced in Russia during the 2017 timeframe.
For OPSEC, If tracking is of concern from Russia by a Neo NAZI extremist organization, then enhanced security should be incorporated into visiting the site and in any collection plans. Possible risk mitigation measures include- no-touch research with the Internet Archive Way Back Machine or other measures. If all that is needed is a preview of what is on a particular URL for OPSEC and a screenshot, then Fou Analytics Page XRay provides that with a URL query of the domain.
In addition, FouAnalytics PageXRay provides a preview of all of the external links hot-linked on a page with their position on a page. This provides further security as the information is provided without touching the domain. The domain is touching Fou Analytics PageXRay. Below are examples of hotlinks that were available for preview with a hover versus a domain click on the FouAnalytics query that provided enhanced OPSEC and possible pivot points for an investigation.
Hovering over “Contact Us” showed that the listed Point of Contact for the National Bugle is Zio Watch. This is a possible pivot point for a domain or organization investigation.
Hovering Over “Join the Conversation” provided a lead for a social media venue for the organization on ChantNGo.
Hovering Over “Donate” requested fundraising donations through cryptocurrency.
In addition to showing where external links are on a page, FouAnalytics PageXray also provides a compiled list of external hotlinks to a URL that can be useful for OPSEC and investigations. Below is an excerpt from the compiled external links of the National Bugle Domain URL as of August 6, 2023, via Fou Analytics Page XRay, including several social media locations from Vokante, a Russian social media platform. If the domain or organization were under investigation, this information may be useful.
FouAnalytics PageXray also provides a list of the internal links on a page and a list of ad-serving domains.
For the domain of The Daily Bugle, Internal Links provided further insights for fundraising through cryptocurrency. The Adserving Domains showed ads were served through WordPress.
There are also several other options available on Fou Analytics PageXRay that may be of use. A user can cross-compare the graph with the HTTPs HAR JSON and the Detailed JSON, which are offered for download. Additional insights on the tracking are also offered in the JSON. A download of the domain graph is also offered as SVG.
This is not a complete overview of Fou Analytics Page XRay as that would be an entire user manual, and Dr. Augustine Fou has authored multiple articles about this resource that are available on his LinkedIn page. This example simply introduced how to use Fou Analytics PageXray for checking a domain OPSEC, privacy, and investigative leads.
In order to further check OPSEC as it relates to the domain and for further investigative leads, I am now going to pivot to Webbkoll DataSkyDD (Webbkoll).
Webbkoll provides a description of “monitors privacy-enhancing features on websites, and helps you find out who is letting you exercise control over your privacy.” This resource is useful to domain maintainers and visitors for OSPEC and investigations.
The following Webbkoll query results of the National Bugle provide additional OPSEC and investigative insights that are broken into sections of- front end summary, Content Security Policy, Reporting, HTTP Headers, Cookies, Third Party Requests, IP Address, and Raw Headers.
The front-end summary on this resource shows that the domain may have some vulnerabilities as it relates to privacy. It also shows that there were 18 requests to unique hosts, which further confirms findings on Fou Analytics PageXray that also depicted 18 “other requests.” It also has conveniently provided the IP for pivoting to IP investigations.
Next, this resource provided insights into a possible vulnerability with the Content Security Policy. A full explanation is provided by Webbkoll highlighting why this may be a vulnerability, including- “Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.”
In other words, from an OPSEC perspective, this site may not be safe to click on.
The next part of the Webbkoll query showed the CSP, Certificate Transparency, and Network Logging, explaining why they are important.
After that, Webbkoll provides OPSEC insights on the HTTP Headers of the National Bugle and why that may be a problem. Webkoll notes “The referrer header is a privacy nightmare as it allows websites and services to track you across the web and learn about your browsing habits (and thus possibly private, sensitive information), particularly when combined with cookies.”
This resource then showed that no cookies are present, which is a good thing, but the HTTP headers issue is still of concern, and there were 18 other tracking-related requests.
Webbkoll’s Third-Party Requests data confirmed data that FouAnalytics PageXRay provided and provided the IP addresses of those 18 requests and whether they were secure or insecure.
In addition, a user can attain additional information from each URL.
This may be overkill for an OPSEC check, but it can definitely be of use for a domain and organizational investigation and offers additional pivot points.
Webbkoll also offers further IP information and Raw Header data, including software of the server that may be of investigative use.
The FouAnalytics PageXRay Query, Domain Tools Who Is, and Webbkolmay may be enough for an OPSEC assessment prior to visiting the domain. In most instances, a visit to Fou Analytics PageXRay is enough in and of itself if the concern is a tracking check.
For pivoting in OSINT investigations, multiple leads were provided in this example that could be pivoted to additional resources such as URLScanIO, Joe’s Sandbox (to check for Malware), BuiltWith, a backlinks checker like AHREFs, View DNS INFO, Shodan, and many others.
Contact Sarah Womer on LinkedIn.
To learn more techniques and how to apply these to your investigations, take Sarah’s full day class “Tracking the Trackers" on February 20 or On Demand.