Detecting cloned sites through tracker IDs

Question

Hello all,

Cloned website detection can be done by taking a tracker ID (e.g. for Google Tag Manager) from a legitimate website and seeing if any other sites are using that same exact tracker ID.

Microsoft Defender for Threat Intelligence allows you to search for all sites that have a specific ID by entering a tracker ID in the portal UI. However the Microsoft TI API doesnt expose this via API. This can be automated locally via a script that scrapes the MDTI portal using an authenticated browser profile, but is this doable via SOAR?

Does anyone have any particular tools they use for website clone detection?

cmorris · Answer

It looks like the details tab from a URL entity in GTI should show the trackers:

You can try this query in GTI to return tagged URLs: entity:url tracker:"Google Tag Manager" and a query like this to return for a specific tracker: entity:url tracker:"Google Tag Manager" tracker:"G-XXXXXXXX".

In testing the URL support.google.com with the VirusTotal SOAR integration’s Enrich URL action, it looks like I am able to return these identifiers for URLs that have them:

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded