Google Analytics Referral Spam from lets-go-now.com
On Tuesday, March 26, 2019
lets-go-now.com appeared in my Google Analytics referral list with references to
/h/8714471.html a non-existent page on my site–a clear indication that this is a spoofed referral spam attack where no one touched my site, or if they did, they were referred to a non-existent page. Other sites may have a reference to a different page of the same format.
whois lets-go-now.com shows registration on March 26, 2019 (today) at
ukrnames.com. The domain was registered at 8:16 AM UTC, or 10:16 AM in Kiev.
curl -L lets-go-now.com | grep 'semalt' shows references to semalt.com, a big referral spam name a couple of years ago. The signature for this is slightly different than recent
semalt.com attack sites:
<iframe src="http://semalt.com/fbpc.php" style="position:absolute;top:0;left:0" width="1" height="1"></iframe>
DNSLytics.com shows that this is a route to IP address
22.214.171.124. This server is owned by “openfrost.com”, a domain that is privately registered with
ukrnames.com, a registrar that is used by numerous recent Google Analytics referral spam attacks.
Google has become better at detecting but not blocking analytics attacks from this organization. Generally, these referrals now disappear within a couple of days, even though the view that I use for identifying referral spam does not use filters.
Google Trends Information on Referral Spam
Current ssh Attack Traffic Trends
SSH attack traffic today is fairly high, with an emphasis on profiling for NoMachine and previously compromised machines.