Authenticating Beacon Calls from Websites

Most sites nowadays track tracking beacons (ComScore, Nielsen) to track various metrics like pageviews, clicks, number of users, etc. When such a beacon reaches the ComScore server, how does the server know which page produced the beacon?

For example, suppose a person has two sites nice.com

and badsite.com

. The site nice.com

contains good content, but traffic to the site is very low. On the other hand, it badsite.com

contains adult pirated content and is very popular. Now the person wants to show a bloated pageview for his site nice.com

, so he deploys the javascript code to badsite.com

. This malicious JS snippet pushes the ComScore beacon and provides an identifier as nice.com

.

My question is, how does ComScore or Alexa prevent these scams? Is there an HTTP header or any other attribute present in the call that the tracking server can use to authenticate this beacon was actually started from nice.com

?