How Referral Spam like Lifehacкer.com Gets into Google Analytics Reports

Co-founder at Kraftblick

Updated: February 18, 2017.

I had a meeting with a marketing department of one tech company when their CMO asked me: “Irina, have you heard anything about a recent flood of weird website traffic? I was happy when I noticed a spike in the number of visitors in Google Analytics, but then I realized they were fake. I heard it’s coming from Russia.”

By then junk traffic infected all Google Analytics accounts I had access to. Including the one of Kraftblick.

At the beginning of November, a smashing burst of referral spam took place. It caused a lot of hot discussions on Reddit and other social networks about what was going on with referrer’s reports.

If you type the ‘referral spam’ in Google, you will see that its first page is composed of articles dedicated to blocking (stopping, fixing, eliminating, removing, getting rid of) spam from Google Analytics. All are helpful, but that is mainly it. You will not get the idea of what is going on with your website.

In this post, I’ll tell you how referral spam can be produced, why anybody in the world would take time to do that and personality behind the latest spam wave.

How Can Kraftblick Help Your Software Company? We build marketing strategies from scratch and fix existing ones. More about that here.

We provide consultations to company owners, directors, heads of marketing and sales, marketers. This is how we do it. See you soon 🙂

Who is this information for? If you are interested in conspiracy theories, there is one here. If you are curious about how things work, referral spamming in particular, you will get the answer. If you are a marketing person who wants to know your website data in details, this article is for you too.

A Bit Background About Referral Spam

Fake user statistics in Google Analytics isn’t a new thing. Referral spam (remember .xyz websites?) and bot traffic have been invading analytics reports aggressively for a long time.

Bot machines were relatively harmless. Acting the same way as Google crawler, they visited websites and collected statistical data for their services.

Referral (or ghost) spam wasn’t that innocent. Curious marketers and web analysts checked domains they supposedly got traffic from. Referrers got them transferred to trashy websites with ads, viruses or porn.

Both bots and spam skewed visitor statistics and made it difficult to analyze data.

Occasional spam attacks were irritating but recognizable.

This time it was different.

Spammy websites didn’t look the way they used to. The part of junk traffic didn’t resemble spam at all.

Reddit.com, thenextweb.com, motherboard.vice.com were pseudo-copies of those reputable resources you knew and would love to get a backlink from.

Lifehacкer.com mimicked lifehacker.com with the only difference in Cyrillic letter ‘к’ instead of Latin ‘k’ used in the original traffic source. The substitution was obscure.

A spam message was conveyed through language parameters and appeared in the Language reports.

Fake traffic imitated the behavior of real users. Pages / Session and Average Session Duration metrics weren’t zero as they were for spam hits in the past. That’s the reason why referral spam was so much hated long before fake sessions from lifehacкer.com emerged. Poor user behavior metrics in Google Analytics negatively affected website ranking in Google organic search results.

Personality Behind Most Recent Wave of Spam

The majority of spammers seek people’s attention for money. They lure website owners into browsing spammy domains and convert them into cash when confused individuals click ads.

But that’s not the case with the latest massive spam flood.

Vitaly Popov is reported to be the person responsible for messed up traffic statistics in millions of Google Analytics accounts. All recent junk referrers including lifehacкer.com and tons of .xyz websites were registered under his name in Samara, Russia.

He became the first known ghost spammer who was also in charge of darodar.com spam flooding.

The link Vitaly inserted into the latest language spam – Secret.ɢoogle.com – redirects to his grand project called o-o-8-o-o. Turned out, the project is dedicated to his crusade against Google domination.

Vitaly came up with a nerdy alternative to Google – “the search shell with Google search without greed and with luck.” His creative portfolio also includes Firefox plugin Google Killer aiming to replace Google search. The plugin is visible in Google Analytics reports as addons.mozila.org referrer spam.

That’s how Vitaly defines his mission:

“The Google is an extremely popular marketing agency. Many people think that to win Google and its greed is impossible. Amazon, Microsoft, Ask.com, and even Jimbo Wales spending millions of dollars to do this without any success. I will try also. Without spending millions of dollars, of course.”

49 of his plugin reviews are mostly negative.

We have traced Vitaly nicknamed Codobir all the way from his Firefox plugin developer profile back to his posts on the Russian SEO forum in 2014. At that time he introduced himself as a Linux programmer and called for help. He needed software to get his websites into people’s analytics reports. His words were “if only one out of 1000 people click the link to see who these referrers are, I’ll gain profit.”

It looks like he found what he was looking for.

Interestingly, earlier in 2014 Vitaly posted the question on the accounting forum in Russian asking if anybody needed a free online service with advanced Excel functions. No one was interested. Probably, the lack of attention combined with Vitaly’s fountain of ideas motivated him to take the side of evil.

Why You Are Not Done With Referral Spam

Because it’s not the first time spammers polluted many websites all at once. Attacks have been undertaken for many years already, though with a different level of intensity.

Another reason why you are not protected from referral spam in the future is that such spamming techniques are relatively easy to replicate.

Based on many forum discussions and private talks, we expect referral spam to be produced according to the following logic.

1. Spammers parse Alexa Top Sites – perhaps, 1 or 10 million of them depending on the resources they have. In the end, they get domain links of all currently functioning websites.

2. They add UTM tags to domain links they obtained from Alexa.

UTM tags are URL extensions marketers add to the primary link to track its performance. UTM parameters communicate with Google Analytics and send it information about the referrer you will see in standard GA reports.

For examples, I have the link kraftblick.com/blog.

I add UTM tags to my link and this way I request Google Analytics to identify the link as the ‘i-am-a-spammer’ referrer.

kraftblick.com/blog/?utm_source=i-am-a-spammer&utm_medium=referral

This report I will see in Google Analytics when someone clicks my link with UTM tags.

3. Spammers use custom scripts that automatically click on website links and access them as different users.

4. Finally, you discover the results of their efforts in your Google Analytics account.

Another way for spammers to mess up with Google Analytics data is through GA feature called the Measurement Protocol.

As Carlos Escalera, a founder of Ohow.co, explained to me in email communication and clarified in more details in his blog post:

“The Measurement Protocol allows sending data directly to GA servers. The only thing spammers need is the analytics code. They just send thousands of hits to randomly generated codes in the UA-111111-1 form. That’s why even sites that haven’t been launched or are just internal receive spam.”

The challenge with referral spam is that today you may get rid of lifehacкer.com and its companions. But you will never know what new contenders will pop up tomorrow.

How to Remove Language Spam in Google Analytics Quickly

Georgi Georgiev came up with the most elegant solution for referral spam removal.

Log in to your Google Analytics account and navigate to Admin -> Filters area. Add a new filter with the following settings. Make sure you have the “Edit” access at the “Account” level in Google Analytics. Remember that the filter will eliminate traffic hits where the language dimension contains 15 or more symbols.

Filter Pattern is .{15,}|\s[^\s]*\s|\.|,|\!|\/.

Remember that you cannot get rid of referral spam outright. New trashy domains and spam techniques constantly emerge and get better because it is profitable for somebody.

It is possible that spam blocking will not remove Vitaly from Google Analytics reports completely. His long-lasting spam activity suggests that Vitaly may soon surprise us with something even more exquisite.

Updated: Vitaly Popov has lost his rights to own ɢoogle.com after Google filed a complaint in National Arbitration Forum, also responsible for the settlement of domain disputes.

