Web Analytics Referral Spam

Google Analytics Referral Spam from lets-go-now.com

On Tuesday, March 26, 2019 lets-go-now.com appeared in my Google Analytics referral list with references to /h/8714471.html a non-existent page on my site–a clear indication that this is a spoofed referral spam attack where no one touched my site, or if they did, they were referred to a non-existent page. Other sites may have a reference to a different page of the same format. whois lets-go-now.com shows registration on March 26, 2019 (today) at ukrnames.com. The domain was registered at 8:16 AM UTC, or 10:16 AM in Kiev.

curl -L lets-go-now.com | grep 'semalt' shows references to semalt.com, a big referral spam name a couple of years ago. The signature for this is slightly different than recent semalt.com attack sites:

<iframe src="http://semalt.com/fbpc.php" style="position:absolute;top:0;left:0" width="1" height="1"></iframe>

DNSLytics.com shows that this is a route to IP address 217.23.10.44. This server is owned by “openfrost.com”, a domain that is privately registered with ukrnames.com, a registrar that is used by numerous recent Google Analytics referral spam attacks.

Google has become better at detecting but not blocking analytics attacks from this organization. Generally, these referrals now disappear within a couple of days, even though the view that I use for identifying referral spam does not use filters.

Google Trends Information on Referral Spam

Figure 1. Google Trends for search terms “referral spam”.
Figure 2. Google Trends for search terms “lets-go-now.com”. in last year.
Figure 3. Google Trends for search terms “lets-go-now.com”. in last seven days.

Current ssh Attack Traffic Trends

SSH attack traffic today is fairly high, with an emphasis on profiling for NoMachine and previously compromised machines.

This web site uses cookies to provide user authentication and improve your user experience through the use of Google Analytics and Matomo Analytics. It also uses contact information for email and phone communcation. For details, see the Privacy Policy.