Google Analytics has become a great target for spammers, where they leave fake traffic that draws unwary web site owners to investigate where it came from. This week one of those spammers left a ‘Vote for Trump‘ message in many people’s analytics reports. What most people didn’t notice was that the website it referenced looked like secret.Google.com…but it wasn’t.
Instructions below show how to build a Filter to block this particular attack. To get historical spam out of your reports, use the Segment I posted to the Google Analytics Solution Gallery. Remember to change the Segment to use your website domain name in the first expression!
Read the whole story in the Definitive Guide to Removing All Google Analytics Spam — the authoritative reference on the topic, regularly updated since January 2015.
The Imitation G
In fact, the letter ‘G’ is a Latin Letter Small Capital, Unicode 0262. Compared side by side with a real capital G, they would look like ‘ɢ G’ — see the difference? Notice how the ‘G’ in the image is the same size as the lowercase letter ‘o’? It’s not the G you thought it was.
OK, so they faked a letter in the web address….so what? Well, if you click that link, it takes you to ɢoogle.com, not google.com!!! You have just clicked into the spammer’s web site, where anything could happen![you actually end up redirected to: money.get.away.get.a.good.job.with.more.pay.and.you.are.okay.money.it.is.a.gas.grab.that.cash.with.both.hands.and.make.a.stash.new.car.caviar.four.star.daydream.think.i.ll.buy.me.a.football.team.money.get.back.i.am.alright.jack.ilovevitaly.com]
Again, more spam, so what’s the big deal?
Well, someone, somewhere, gave out the domain ɢoogle.com to someone who was not representing google.com. what is stopping them from mimicking YOUR web site, or YOUR BANK’s website, and then leaving innocent-looking links for you to fall prey to? You would probably never realize what you did until it was tool late.
Internationalized Domain Names
Most people don’t realize it, but there were a lot of people working the past few years on getting international characters into domain names…and they are real today. They are supposed to allow people to create domains in their native language, like 日本語.jp. Seems at least one enterprising individual (in Russia) grabbed the opportunity recently to snap up ɢoogle.com (clever man?)
Expect to see a sharp increase in phishing until the general public catches on.
Never trust a link provided by someone else…
Sources: Fake or Real?
When they create a fake visit to your website, they usually leave one of their own websites as a source, so you’ll go click on it to see who is linking to your site. In this case, since the ‘message’ is in the Language field, they have used a mix of spam and real domains for sources, changing them daily to get around Google Analytics spam filtering processes. They have even used abc.xyz (Google’s parent Alphabet company site) and thenextweb.com(a real website that ran a story about the spam yesterday). In all cases, using the classic approach of filtering on the Source field is a waste of time. More…
How to Filter It Out
To prevent more of it from appearing in your Google Analytics accounts, create a new filter on the Admin panel.
Pick a new Filter Name
Filter Type: Custom
Filter Field: Language Settings
Filter Pattern: \.
Save the new filter. It will take effect right away, but you may find that today’s data gets reprocessed in a few hours.
Read the whole story in the Definitive Guide to Removing All Google Analytics Spam — the authoritative reference on the topic.
This topic caught my interest. It was first revealed by Analytics Edge.
Latest posts by Peter Kivuti (see all)
- Banking Trojan Trickbot New Tricks - January 10, 2019
- Internet-facing endpoints are exposing businesses worldwide to a botnet which is now being used in targeted ransomware campaigns: Phorpiex worm - January 10, 2019
- How safe is your data?: Two-pronged cyber attack infects victims with data-stealing trojan malware and ransomware - January 9, 2019