The attacker is adding a line of javascript into Google’s code, abusing the fact that Google Analytics is used across the web. The one line loads a few porn sites into parts of the website you can’t actually see.

Line 71 is brought to you by the attacker

The only way a user can tell is by a tiny hint, shown by Chrome when loading content. The other annoyance, though not evident, is that the porn is actually loaded, and all those kilobytes are still transferred.

Tell tail sign of the Man in the Middle attack.

These additional kilobytes might not sound like much. But they matter- since every kilobyte is metered, the attacker is leaking your data by loading hundreds or thousands of kilobytes of garbage data.

Data is just a monetary loss, lets not forget how the exact same trick was used by the Chinese authorities. They performed a MITM attack making users of sites with Baidu Analytics agents in a Distributed Denial of Service (DDOS) attack on GitHub. GitHub was hosting mirrors of NYTimes and GreatFire providing Chinese people a way to access news on corruption, circumventing content blocked by the Great Firewall of China. This tactic, dubbed the Great Cannon, brought down GitHub who eventually gave in, and took down the mirrors.

Illustration from https://citizenlab.org/2015/04/chinas-great-cannon/ describing how the Great Cannon works.

The silver lining is that this attack is entirely avoidable. The fix is as simple as switching over to always using the secure HTTPS version of the Google Analytics code. The challenge is to get the millions of sites using GA to actually make the change. Google should definitely update their suggested code snippet to make https the default, and maybe come up with some way to verify the payload. Finally customers need to realize how they are basically leaking data and complain to whoever is responsible.

Same site as before, but loaded with HTTPS analytics. Notice the lack of porn and wasted bytes.

UPDATE: A lot of folks have pointed out that this can also be due to a malware infected router pointing to the wrong DNS (thanks!). I ran all my tests through the router, so cannot confirm or deny this, but have updated the post to accomodate that. The root issue of code injection into Google Analytics still stands though.