Loan Pricing Referral Spam

On March 17th, 2015, Google Analytics showed that my site got a big spike in referral traffic from After dealing with the referral problems in late 2014 where spammed Google Analytics trying to get web masters to go to their site, I didn’t automatically go to the site. Instead, I went to a domain name registration look-up site and found that the domain was registered to Moniker Online Services (Portland, OR), while the command whois shows the registration as Moniker Privacy Services (Ft. Lauderdale, FL). I then Googled “Moniker Online Serivces”, which gets an F from the Better Business Bureau (BBB) at this writing. The BBB entry for Moniker Online Services lists Moniker Privacy Services as an alternate name. Moniker Privacy Services has a similar business address to, a domain registrar that gets a B from the BBB. The Better Business Bureau is a decades-old U.S. organization that advocates for fair and truthful business practices.

Viewing the site in a character browser (to avoid malware) via curl shows that the site redirects to which is also registered to Moniker Privacy Services. The site is a very simple web page that encourages visitors to install calls to JavaScript on their website. The JavaScript contains references to which is registered to Whois Privacy Protection Service (Kirkland, WA). At this point, I hit a dead end. I couldn’t find any ownership or physical address information.

On March 23, a DNS lookup shows the IP address as, and a IP lookup shows the server to be hosted in Japan and operated by NTT Communications Corporation. As of March 25, this has changed to which is hosted in the United States and operated by Media Temple, Inc. redirects to which shows an IP address of which is operated by GoDaddy. The JavaScript on downloads some objects from which is hosted at IP address which is operated by Bodis, LLC.

Trends in Referral Spam

It is hard to tell just how often this is occurring on any site other than one’s own, but Google Trends may offer some additional information, as shown in the dynamic figure below showing interest in the search term “”. This graphic currently won’t render on Firefox and Chromium (it will on Chrome), as they appear to handle the X-Frame-Options header more restrictively (and securely) than current versions of Chrome, Safari and Internet Explorer. If you want to see the graphic in these browsers, use

Figure 1. Google Trends for search terms “”, “” and “referral spam” from 2004 to present.
Figure 2. Google Trends for search terms “”, “” and “referral spam” from last 12 months.

Fixing the Problem

My first reaction in addressing referral spam was to add a line to .htaccess to block these spam referrals (see for a description of how to do this) but with more research, it turns out these referrals weren’t referrals to my site at all, but were insertions of fake referrals into my Google Analytics reports. As was the case with, the clear intent is to cause webmasters to go to an unfamiliar site when they see a reference in their Google Analytics reports. Whether the motivation is to generate traffic to their site or to cause webmasters to visit a site that will download malware is unknown.

Based upon the instructions in Removing Referral Spam from Google Analytics, I checked the hostname on the referrals, and all showed “(not set)”–a clear sign that no one ever touched my site and that these were inserted into Google Analytics to get me to click to generate traffic or download malware onto my computer.

Removing Referral Spam from Google Analytics provides a good description of the problem and some solutions. Understanding and eliminating referrer spam in Google Analytics gives another good description of referral spam and a programmatic solution that is appropriate for plug-in developers but not for administrators of WordPress, Joomla and other content management system (CMS) based sites.

An alternative is to switch to self-hosted Piwik for your web analytics; if you do this, it will be immediately clear that the vast majority of Google Analytics referral spam is of the spoofed variety rather than the crawler variety. Piwik does not have the advertising integration nor does it have the demographic information, but for many small-traffic sites it can provide much more information. See Using Piwik as an Alternative to Google Analytics on this web site for more information on why Piwik might work for you and how to implement it.

Useful Commands and Web Sites for Investigating Referrers

For investigating a referrer, here are some useful commands and web sites:

  • TCPIPutils is a great site for looking up data on an domain or IP address
  • For domain registrations, the command line whois is very convenient as is
  • For IP lookups, dig is convenient, as is
  • Better Business Bureau
  • To view a site in character mode so that malware doesn’t get downloaded, use curl and curl -L. These are commonly installed on Linux machines, but will require additional software on Windows and OS X, as discussed below.
  • To look up a lot of information on an IP address in one place will give you a lot of information quickly.

Command Line Utilities

To use the whois, dig and curl commands on Windows and OS X, you will need to install additional software:

  • On Windows, install Cygwin and add the curl package.
  • On OS X, install MacPorts and add the curl package.

Cygwin and MacPorts have many additional command line and graphical utilities that make life easier in Windows and OS X.

More Information

For more information on referral spam, see

This web site uses cookies to provide user authentication and improve your user experience through the use of Google Analytics and Matomo Analytics. It also uses contact information for email and phone communcation. For details, see the Privacy Policy.