Spam in your Analytics? Ours, too. Here’s the who, the what and the how to hit back

10/30/2016
Screen Shot 2017-01-16 at 2.02.22 PM

Referral spam has our traffic numbers askew

550_analytics-auf “Secret.Google.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!” No, wait! Stop! Don’t do it… That is merely verbatim of what’s been appearing in our data on Google Analytics. For thousands and thousands of websites around the world, the blurb figures to ring some bells. The spammy hands that penned those words belong to an infamous hacker from Russia named Vitaly Popov. Online Marketing Rockstars took a closer look at Popov, his methods, how he set his sights on TheNextWeb.com and what you can do.

It certainly got our attention. While checking our site’s performance on Google Analytics, we came across something instead of two-letter, humdrum language abbreviations, “en-us,” “en-gb,” “de-de,” “es-es,” etc. “Secret.Google.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!” In just a week, we had 1440 page views native speakers of this previously undocumented language. Although it’s a mouthful, it’s no spoken tongue—it’s referral spam.

What is referral spam and how does the junk work?

Referral spam creates faked website visits that Google Analytics lists as, you guessed it, referrals. The type of referral we’re talking about here appears in Google Analytics by selecting Audience, then Geo and finally Languages. There are two kinds of referral spam: “crawler spam” and “ghost spam.” Crawler spam relies on bots to artificially generate actual page views, while ghost spam is responsible for completely faked traffic: with neither a bot nor an actual person actually having visited or engaged with your page.

Referral spam listed in our Google Analytics account under languages.

The way Google Analytics is set up to measure traffic opens the door for ghost bots. Using JavaScript Code, your page ID and Googles Measurement Protocol each page visit is logged along with the referral site. VA few years ago, spammers had the bright idea of automatically generating hot IDs and embed them on their pages. This method, which also lies at the heart of “Secret.Google” spam, can fake thousands of pages a day into thinking that the spammer’s domain is an important referral source for sites despite visits or engagement never having taken place.

What is referral spam used for?

The goal of referral spammers is to redirect traffic to their own page and then to monetize the visits via either AdWords or affiliate marketing. This relies on piquing a site operator’s curiosity, i.e. “Really? I’ve been invited to a secret Google page? Obviously, I am clicking that link!”

Behind “Secret.Google” is a Russian spammski named Vitaly Popov who’s been on people’s radar for a few years. By clicking secret.google.com, you’ll get an Easter egg in the form of a domain redirecting to a crazy diamond shining like a URL:

http://money.get.away.get.a.good.job.with.more.pay.and.you.are.okay.money.it.is.a.gas.grab.that.cash.with.both.hands.and.make.a.stash.new.car.caviar.four.star.daydream.think.i.ll.buy.me.a.football.team.money.get.back.i.am.alright.jack.ilovevitaly.com/#.keep.off.my.stack.money.it.is.a.hit.do.not.give.me.that.do.goody.good.bullshit.i.am.in.the.hi.fidelity.first.class.travelling.set.and.i.think.i.need.a.lear.jet.money.it.is.a.secret.%C9%A2oogle.com/#.share.it.fairly.but.dont.take.a.slice.of.my.pie.money.so.they.say.is.the.root.of.all.evil.today.but.if.you.ask.for.a.rise.it’s.no.surprise.that.they.are.giving.none.and.secret.%C9%A2oogle.com

The ridiculous ilovevitaly.com by Vitaly Popov.

Figure it out? Think of coins going ca-ching, ca-ching. Cue the bass… And? If you guessed Money you’re good as gold as the URL comprises nearly all of the word to the Pink Floyd tune. Despite the tons of fun, Popov distances himself from referral spam that links to his page in a hardly unnoticeable text in the middle of the page.

“Why famous corporation shows [this domain] in tens of millions accounts since 5 November ask not me.” He says he is not responsible and furthermore the actual domain name is ilovevitaly.com. “Despite the huge number of lies without any proofs in the media, this search shell is absolutely safe and very useful,” he continues. Popov knows who’s behind the malfeasance: “one very rich and influential hidden evil corporation [that] doesn’t like competitors very much.” Just a quick glance at his site—nothing but a bunch of links to search engines, torrents and online shops—and it seems abundantly clear that the content here is highly questionable at best.

A one-trick Popov: firing back with more referral spam

After The Next Web also discovered and reported on “Secret.Google” spam, another wave of referral spam, presumably initiated by Vitaly Popov popped up in our Google Analytics data. About a week ago, referrals to OnlineMarketingRockstars.de included “thenextweb.com,” with 46 page views stemming from the source within three days. These presumably originating from the aforementioned Next Web article. Oddly enough we have zero backlinks on thenextweb.com. Ergo, it seems that it’s Popov’s handiwork again.

Referral spam: These page views are not from thenextweb.com.

Vitaly Popov is a known commodity around the web when it comes to referral spam. One source even lists him as the inventor of “ghost spam.” He was reportedly responsible for the darodar.com spam of late 2014 and our German colleagues filed a report (in German) on him then. He offered his congratulations on being found, while stressing the fact that he “doesn’t have anything to hide, because what he does is not illegal in Russia. And that is what creative marketing is all about.”

However, his “creative marketing” campaigns have gone too far for some. A Reddit post lists several of Popov’s other spam domains and is full of people interested in getting back at him. The thread is dedicated to turning the tables and spamming his Google Analytics code. Certainly, one way of responding to the issue. For most of us, however, Popov is nothing more than an insipid nuisance, whose damage we merely want to minimize.

Is referrer spam harmful for site operators?

In the end, it remains unclear just which objectives Vitaly Popov is pursuing with his passionate referral spamming. However, it is remarkable that he is able to repeatedly outsmart Google Analytic. Just earlier this year Google announced that they would be removing referral spam automatically—yet here we, and Popov, are.

Still, there is some good news for site operators. First and foremost, the fake traffic figures pose no harm to your site regarding Google Analytics—but we still don’t recommend following the posted like out of curiosity. Secondly, removing fake traffic from your data is a pretty simple procedure. Here’s a simple guide showing you how.

Current stories and the most important news for marketers straight to your inbox!
Show me an example