This is why Backdoor is such a pain in the ASS!

Apple should NOT create backdoor for Good!

Tim Cook, Apple CEO, argued, it would “threaten the security of our customers.” You might probably have heard about the response from Apple regarding the FBI request to crack the Iphone 5 security so that FBI could reveal the information behind the San Bernadino attacks. Here’s the original court that demands Apple to assist FBI in enabling the search of a cellular telephone Iphone 5C.

If there is such a backdoor for such a fully encrypted operating system like iOS for apple devices, the threat against the customer’s security would be severe. It is actually the absolute trademark and most valuable system against android operating system that can be cracked easily within seconds. It actually holds true for me, since for the past 2 months, I have been fighting against the security threat on some websites that I developed. Since I did not pay too much attention on the security protection on my website, the hacker could easily hack and take over my sites.

It was very unfortunate and the hardest lesson in my entire history developing websites. For security reason, I am not going to reveal my website URL address. However, I could share what kind of hacking attacks that I have been encountering for the past 2 months until now. As you can see on the picture of my google analytic of my website, there is a constant referrer spam website traffic. If you type in and click the link that appears on my google analytic, you will be re-directed to this website. As you may guess, it simply destroys the credibility of your google analytic (GA) data that refers to your website. This can lead to termination of your google partnership agreement. Someone can exploit your GA code and Google can just BAN your GA account. Your Adsense account can be exploited and banned in similar way.

Here are some insights of what is referrer spam traffic attacks, since some of you may or may not know it.

Why am I seeing in Google Analytics?

Originally posted by: Samuel Wood on How Google Analytic works.

Here’s a quick primer on how Google Analytics works.
So, you get setup on GA and get a code from them. The code looks like UA-number-1 or some such thing. That number is your “account number” on GA. Now, this code and a bit of javascript go onto your webpage. Now, somebody visits your page, and their browser runs that javascript code.
That javascript code is what “records” their visit. It makes their browser talk to Google Analytics. Specifically, it makes certain types of HTTP requests that Google records information about, and then GA displays summaries of that information to you.
Pretty basic, right? Still with me? Okay, now, if all it is is this Javascript sending the “visit” to them, then anybody can fake that. Anybody at all. All I have to do to make your GA show false information is to send my fake information directly to GA.
I don’t need to visit your site at all. I don’t need to run javascript at all. I just need to reproduce those HTTP requests, which are public and so anybody can see them and how they work. They’re even fairly well documented, publicly, by Google themselves.
So, now, let’s say I’m a spammer jerk. I want to get people to see my spammy site. So, what do I do? I write a small bit of code to send thousands upon thousands of these fake requests to GA, and I simply cycle through all the UA numbers, in order, at random, whatever. I send a fake visit, with a fake referrer, and my spammy domain name. And guess what? It shows up in your Google Analytics screens.
You see this spam like any other normal visit. Because as far as GA is concerned, it was a normal visit. All they’re recording are those HTTP requests, which normally come from the GA javascript code. But a request is a request, and making a fake one is very, very easy.
That is what is going on. All I need is your UA number and with only a minor bit of effort I can fake a visit to your site without ever actually connecting to your site at all. That fake visit can have any domain name and any referrer in it that I choose.
This is an attack on Google Analytics, to promote whatever site is showing up. You cannot block it on your server, because your server is not involved at all.

If you have read and understood the post by Samuel above, in the nutshell, here is the summary to wrap up his explanation.

  1. is using your Google Analytics Code to recreate fake information and sending that directly to Google Analytics.
  2. They are not visiting your website.
  3. In this case, they are possibly using a script to randomly create Google Analytics code UA-xXxXxXxX-1. Some would work, some wont.
  4. This spam is exploiting how Google Analytics works, possibly to promote some website.

Why use this referral spam?

I am not sure, it may absolutely benefit the spammers. Yes, it redirects to a shopping website (and previously it used to redirect to Amazon Affiliate page) but Google and Amazon will demote those links very soon. Be aware that that website link will never show up in Google search or any search engines.

What is more scary?

You know what? I am not worried about this referral spam / referrer spam. The worst that can happen is you see some funny links in your Google Analytics. Just done browse to those sites. But the part that’s more disturbing is that anyone with some programming skill can actually create a tool to randomize Google Analytics code and send Fake visiting info back to Google. Followings are the implications:

  1. You can target a legit website and spam others using them as referrer. The result? Google demotes a perfectly good website because someone else spammed forged them to spam others.
  2. You can target a website and spam using their GA code. The result? That website appers in millions of GA users and if even 5% of them visit that website, it might just overload their server and create a DDoS situation for them. As shown on the picture below, the reply from the web-server administrator with regards to the attack on my website. It made my account has been suspended and cannot be revived.
  3. Someone can exploit your GA code and Google can just BAN your GA account. Your Adsense account can be exploited and banned in similar way.

On the top of that I have learned my lesson the hard ways. Since the website that I developed in the past was made by using Wordpress SEO platform, it is very highly likely any hackers could break the security since there are millions of backdoor for this SEO platforms. This is similar with the backdoor issue that Apple encounters recently. Since there are lots of backdoor to break SEO platforms, in this case, there are tons of ways to break any websites within Wordpresss SEO platforms. Therefore, please be aware of the security of your website if you use any SEO platforms such as Drupal, Wordpress, Joomla, Blogger, Magento, etc.

It costs me at least one full week to strengthen the security protection system on my websites. So many different plugins and background java scripts system running on the top of the websites hoping that the website would be secure enough. I even also put the fully disabled system like auto self-suicide system, just in case if I see the abnormality on my website. That’s what exactly what Apple does on their IOS platform. Beyond the passcode itself, Apple’s security measures include an ‘auto-erase function’ which, if activated by a user, will erase all data on a device if the passcode is entered incorrectly 10 times.

Based on, That’s why Apple CEO, argued and criticized authorities for using the All Writs Act and not Congressional legislation to make the request, which he labeled “a dangerous precedent” that would seriously weaken Apple’s security system:

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.
The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.
Above all, there have been always a constant battle between good and evil. The backdoor can simply be used for good such as revealing the detail conversations and messages of the San Bernadino attacks or also can be used for evil such as accessing your health records or financial data, tracking your location, or even accessing your phone’s microphone or camera without you knowing it. It really is the same as any other technology that exists such as nuclear power, atomic bom, internet, embedded system IoT, etc. The possibility is limitless. It does really depend on you. For me personally, Backdoor is such a pain in the ASS! Apple should NOT create backdoor for Good.
How do you think ?

Please let me know your story and comments below.

Thanks for reading this article so far! If you found value on this article, I’d really appreciate it if you would be so kind to recommend this post (by clicking the ❤ button) so other people can see it!