A Major Google Analytics Problem is Brewing with Referer Spam (Semalt, buttons for website, 7makemoneyonline, darodar), and They’re Doing Nothing About It (TM)

I’ve noticed the same problem that others have been experiencing with Google Analytics lately – an influx of botnet referer spam from domains semalt.combuttons-for-website.com, darodar.com and 7makemoneyonline.com (the list continues to grow), making their way to the top of your “Top Referrals” list. This traffic is throwing off analytics and may have long term SERP implications. From the sound of it, most users are either having a difficult time filtering (excluding) the domains and traffic through Google Analytics, and/or resorting to blocking the domains via their .htaccess file.

This is a public service announcement.

DO NOT USE THE
SEMALT OPT-OUT FORM!!!

Instead, offer them a clue about what orifice they can stuff that form in.

While I’m not the best SEO guy around, I’d have to say this looks like a traffic stealing campaign where somehow, they are using an opt-out form to phish/harvest backlinks and/or SERP rankings from your domain, or upsell you on better analytics software.

Furthermore, it seems that users are being scammed by what I would call social engineering agents who work for Semalt and lurk on public forums to point users towards an opt-out form run by them, effectively phishing users through Google Analytics. You might say that Google Analytics has been compromised. And what better way for Semalt to sell their own analytics software than to game their largest competitor’s software and lure users away from it? Semalt is literally using Google Analytics for free clicks and advertising, completely bypassing Google’s own pay-per-click advertising model. Instead of the phishing scam hitting your email inbox, it’s hitting your analytics report.

Some of the referer URLs contain my own Google Analytics ID. For example – forum.topicXXXXXXX.darodar.com – where XXX is your Google Analytics ID. I’d say they are using a script to iterate through all Google Analytics ID’s starting with 0000000, effectively generating traffic and analytics records for every site on the web that uses Google Analytics. But that’s not all, once you visit that referer URL with your Google Analytics ID in it, you’ve just told the spammers that your Google Analytics account is alive and well. It’s probably the same thing Semalt is doing with their opt-out form.

In doing so, these spammers would have the ability to sway traffic one way or another throughout the entire Google Analytics ecosystem without wasting botnet resources on inactive or retired Google Analytics accounts.

Shouldn’t Google be upset about that? This is not just a new type of spam or black hat SEO, it is a new type of marketing warfare or analytics malware.

Have a look at this Google support thread, which dates back several months and still no official statement…

Hilariously, Semalt has a Google+ page where they are “providing support” (phishing users). Let’s have a look:

Again, what you are doing is SPAMMY and I have read hundreds of threads about how despised your business model is. WE AS BUSINESS OWNERS should not have to jump through hoops to make you stop. You should not be crawling sites without our approval. You are not GOOGLE or BING – you are not offering us ANYTHING but a drain on our resources and incorrect data in our analytics. Why don’t you guys just STOP and market yourselves the PROPER way.  And I call bull on you “cannot change the algorithm of your bots” – you programmed the bots. Why don’t you remove them completely? Clearly you are just pissing people off. -Jill Caren

And I should say Jill, they might be right about not being able to change the algorithm of their bots, because their bots are probably real computers on the internet which have been infected by malware. It’s basically a runaway botnet they cannot stop unless those computers are cleansed of the malware. Ofer Gayer gives a pretty good rundown on how they may be running malware through a utility called Soundfrost.

Social Engineering

If you end up reading complaint threads about Semalt, you’ll most likely run into social engineering agent Nataliya who always makes a creepy appearance with the same copy/paste statements, attempting to smooth over the outrage and lure more users into the opt-out phishing trap. She can be found lurking on various forums and she’s aggressive, seeking out bloggers across the web who criticize and complain about their operations:

 

What should you do about this?

Here’s something you can toss into your .htaccess file to block the spammy domains mentioned in this article, and a bunch more offenders:

# BLOCK REFERER SPAM
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://.*social\-buttons\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*backgroundpictures\.net/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*embedle\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*extener\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*fbfreegifts\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*feedouble\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*feedouble\.net/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*joinandplay\.me/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*joingames\.org/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*kambasoft\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*musicprojectfoundation\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*myprintscreen\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*openfrost\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*openmediasoft\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*savetubevideo\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*semalt\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*softomix\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*softomix\.net/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*softomix\.ru/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*soundfrost\.org/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*srecorder\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*vapmedia\.org/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*videofrost\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*videofrost\.net/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*youtubedownload\.org/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*zazagames\.org/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*ranksonic\.info/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*buttons\-for\-website\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*darodar\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*7makemoneyonline\.com/ [NC]
RewriteRule ^(.*)$ – [F,L]
</IfModule>
# END BLOCK REFERER SPAM

Since spammers will register new domains to get around existing blacklists, the best way to stay on top of this is to monitor your Google Analytics account(s) on a regular basis and add new rewrite conditions for every domain that pops up as a spammer hence-forth. The recommended Google Analytics filters won’t always work because spammers know how to get around those too.

So whose job is it anyway to clean up this mess? Website owners? Google? Semalt? Let me know in the comments…

UPDATE April 2015: Definitive Guide to Removing Referral Spam

Related

Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *