Re: Stolen Munchkin Code

Mikes_Jones · ‎01-27-2015

Hi Marketo Community,

So our company has been the victim of "theft" in a way. A couple of months ago we noticed our reports in Marketo were looking funky, we didn't recognize a lot of the URL's being generated for the "entry page".

After doing a little bit of digging around, I realized that a foreign website located in Puerto Rico had somehow got a hold of our Munchkin code. With the help of Marketo, we were able to contact the webmaster and he was very apologetic, claiming that he had no idea, and he removed it right away.

Couple of days later and while going through my analytics, I started to discover more and more websites that didn't belong to us. I found 3 other domains that are using our muchkin code, I've sent an email to all 3 webmasters.

So my questions are:

1) how does this happen?
2) how can this be prevented?
3) is there a simpler method that lets you detect which pages are using your Marketo Munchkin ID? I wouldn't be surprised if I stumbled across a few more domains

Thanks in advanced for the help.

Josh_Hill13 · ‎01-27-2015

Hi,

I was always curious if this would happen. Unclear why someone would want YOUR tracking code to slow down their page load times unless they were trying to hack your API to drop in data.

It's easy to copy the code, just do View Page on any browser.

I wonder if someone was scraping code or design and it has been populating across the net. Can you determine if the same firm or person built those websites?

I'd ask Support if they can grant you a new Munchkin ID.

You may be able to filter out other domains from the reports, of course.

Mikes_Jones · ‎01-27-2015

Josh -

I haven't been able to pinpoint the firm/person that built these websites, but it looks like someone has been lifting code from our website and possibility taking the tracking code in the process (I'm guessing on accident, as the webmasters I have been able to get in touch with seem to have had no idea).

As a result, our reporting has gotten all jacked up. I just set up filters to disclude some of these domains, but there's a LOT of them (over 300 that I found so far). Also, another annoyance, is that I have to set up a filter on EACH report - we have a lot of them, so this is going to take unncessary time.

I mentioned to support last week or so about providing us with a new Munchkin ID, but they said that it's more complicated than just issuing a new one - though I'm not sure how true that is.

Curious to see if anyone else has run into this problem as well.

SanfordWhiteman · ‎01-27-2015

If you're US-based I'm not sure how "foreign" Puerto Rico is as it's a US territory! But I digress.

The general answer to "can this be prevented" is no. Munchkin.js can be loaded on any of your web properties without having to set up the domain with Marketo. Hence there is no way for Marketo to know which hits to discard, and which to keep. Yet bear in mind that even if you had to register the domains in use, a truly malicious person could easily muddy your tracking just by making fake requests from an army of (script-aware) bots. C'est la vie. Unless you only track on authenticated sessions there's no way to prevent this.

I think your Munchkin ID is basically your master Marketo ID. So I can see why it would be difficult for support to change. It might be better if they created a secondary, expirable ID so that would be something you could reset yourself over time.

And I agree with Josh -- I would think this would be more of a compliment to your web design than a malicious attempt to muddy your results.

Mikes_Jones · ‎01-27-2015

I find it strange that not only can this not be prevented, but it doesn't seem to happen very often either.

When you say "can't be prevented", I think you mean from a basic level? If you were to hide your Marketo tracking code in something like Google Tag Manager - wouldn't that help conceal the Munchkin ID from public eyes? I'm not sure if this would work on LPs, but perhaps on a main domain.

SanfordWhiteman · ‎01-27-2015

To me, it isn't too strange that it doesn't happen -- a shrewd design thief would know to strip tracking tags and anything that identified the original owner, just like a shrewd software pirate. They probably didn't realize what Munchkin actually was and didn't bother testing to see if the site worked without it.

When I say, "can't be prevented" I do mean from any level. Look at what Munchkin does: it tracks anonymous leads who hit your website. (Whether or not you later associate w/known leads, you start tracking when the lead is still anonymous.) So it needs to be loaded on a regular public page view. Anything on such a page can be scraped, definitely by a concerted human thief (and a smart machine can do this kind of thing, too).

You mention something like GTM helping conceal the Munchkin ID -- sure, it could make it harder for a human to find because it wouldn't be in the original HTML markup but injected on-the-fly. But if I scrape your page including the GTM tag, I get everything that comes along with it. Sorry!

Ultimately the only way to stop a stolen Munchkin code from having an effect on your stats would be for Marketo to discard unknown domains. But that would mean every one of us who's accustomed to just plugging Munchkin into all our client/internal sites, regardless of SEO aliases, typo-catching alternatives, etc., would have more work. It probably should've been this way from the start, but at this point few of us are going to want additional housekeeping tasks to prevent a relatively rare case.