Skip to main content
Solved

Detecting cloned sites through tracker IDs

  • March 10, 2026
  • 1 reply
  • 34 views
donkos
Forum|alt.badge.img+9

Hello all,

 

Cloned website detection can be done by taking a tracker ID (e.g. for Google Tag Manager) from a legitimate website and seeing if any other sites are using that same exact tracker ID.

 

Microsoft Defender for Threat Intelligence allows you to search for all sites that have a specific ID by entering a tracker ID in the portal UI. However the Microsoft TI API doesnt expose this via API. This can be automated locally via a script that scrapes the MDTI portal using an authenticated browser profile, but is this doable via SOAR?

 

Does anyone have any particular tools they use for website clone detection?

Best answer by cmorris

It looks like the details tab from a URL entity in GTI should show the trackers:

You can try this query in GTI to return tagged URLs: entity:url tracker:"Google Tag Manager" and a query like this to return for a specific tracker: entity:url tracker:"Google Tag Manager" tracker:"G-XXXXXXXX".

In testing the URL support.google.com with the VirusTotal SOAR integration’s Enrich URL action, it looks like I am able to return these identifiers for URLs that have them:

 

1 reply

cmorris
Staff
Forum|alt.badge.img+12
  • cmorris
  • Staff
  • Answer
  • March 10, 2026

It looks like the details tab from a URL entity in GTI should show the trackers:

You can try this query in GTI to return tagged URLs: entity:url tracker:"Google Tag Manager" and a query like this to return for a specific tracker: entity:url tracker:"Google Tag Manager" tracker:"G-XXXXXXXX".

In testing the URL support.google.com with the VirusTotal SOAR integration’s Enrich URL action, it looks like I am able to return these identifiers for URLs that have them:

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.