Recently there was an interesting project write-up called Automatically Discover Website Connections Through Tracking Codes by @jms_dot_py and @LawrenceA_UK. They used the source code search engine Meanpath to search for websites with a specific tracking code and Gephi to visualize the relationships from their results. We've been having the same idea for while now and decided to release two new transforms today. This means you can use this technique from within Maltego.
The first transform is called To Tracking Codes and runs on a website entity in Maltego. The transform will parse the home page of the specified site for tracking codes from services including Google Analytics, PayPal donate buttons, the Amazon Affiliate program, Google Adsense and AddThis. The image below shows the different tracking codes that can be found with this transform as well as the Detail View that is returned with each entity that includes a source code snippet of where the tracking code was found. The second transform is called To Other Sites With Same Code and is used to find other website that have the same tracking code.
Let's see what can be done with these transforms with a quick example using the Google Analytics code found on Ashley Madison's home page from the graph above. Running the transform To Other Sites With Same Code returns 100* different sites that all use a tracking code from the same Google account as the one from Ashley Madison. The resultant graph is shown below. (*Currently this transform is limited to returning a maximum of 100 results so there could actually be far more sites).
Most of these sites are just variations of the name ashleymadison.com and all redirect to Ashley Madison's home page. There are also a few other online dating sites here too as well as a couple of completely unexpected results of pages that you would not see being related to Ashley Madison in any way. These sites have piqued our interest so let's look a little deeper.
Taking all the websites from the previous step and running the transform To Tracking Codes again only finds one new code on the sites mysexydateprofile.com and adultxmeet.com. Running To Other Sites With Same Code on this new code does not result in any new sites being found. This looks like it could be a dead-end so let's use another tool we have in the Maltego workbench. Resolving all the websites in the graph above to IP addresses shows that most of these sites sit on the same IP address except for a couple of outliers as shown below:
|(only a portion of full graph)|
Finally let's see what else resolved to these IP addresses by running the transform To DNS Name [Other DNS names]. This transform will return historical DNS records for these IP addresses. Doing this results in some really interesting NSFW sites specifically found on the IP address that also host mysexydateprofile.com and adultxmeet.com.
The image below summarizes the connection found between Ashley Madison and our somewhat unsurprisingly very much not safe for work (VMNSFW) websites that won't be listed here.
These two new transforms for working with website tracking codes are now available in the PATERVA CTAS seed on both commercial and CE. Simply hit the Update Transforms button in the transforms hub and they will be added to your Maltego client.
As always, enjoy responsibly,