The Sound of Spam

More referral spam from Russia and the Netherlands cluttered my Blogger stats in Fevruary. Adding to the mess is the loud blast of spam from http: // ranksonic . info / krawler . pho?refToken threatening to blow the doors down on my blog for the past month. Join me as I explore the links you should never click on…

Let’s start with spam from RanKSonic since it is clogging up Statcounter as well as Blogger’s stats. Of course, it is SEO spam claiming to be able to boost traffic to your website. Hey, if they were that good at it, would they be spamming blogs to get business? Of course not.

Scrolling down to the bottom of the page, I tried several links since there was no way I would sign up for the shady service. Terms of Service and Privacy Policy produced 404 errors like the one above, while About Us just took me back to the top of the home page.

Inspires great confidence in their understanding of webpage design, doesn’t it?

Spam for Christmas

It seems that the dark elves responsible for pumping out unwanted spam of all kinds have the Christmas spirit of giving right now. Unfortunately, they completely misunderstood the true meaning of the season and are bent on raking in money for themselves.

Whether it be email or Blogger referral spam, the filters have been tested to the breaking point in December. Earlier, I posted an update on seoairport suddenly returning with a flood. A new approach that I haven’t seen outside of emails showed up too and that’s what I’ll be covering in this post.

I hope by now that everyone knows not to open an Adobe Acrobat (PDF) attachment from a stranger when they get one in their inbox. This has been a way to deliver trojans and viruses onto PCs for many years.

So it was surprising to see referral spam that linked to PDFs including one hosted on Amazon’s cloud service which arrived as s3 . amazonaws . com / pdf-1ydO / qyR20YHDImN9.pdf on my Blogger stats page.

Why would anybody use such a discredited way to get hits? Another referral and a little digging provided me with a theory.

Remember to not click on links such as these, leave it to security pros and madmen to investigate. In my case, it is the latter though a virtual machine and an anonymous routing service were employed to keep my PC uncompromised.

SEO Spam or Fear the Penguin

One of the most irritating con jobs on the Net is selling links to people desperate to get traffic to their websites. This is part of what is known as “black hat SEO” with SEO standing for Search Engine Optimization. So it was rather interesting to get two false referrals from seoairport . com / site / product / in my Blogger stats today. UPDATED: December 2014 has seen a massive amount of hits from seoairport . com / site / recommended with no end in sight. New screen captures added at the end of the post.

Firing up the trusty virtual machine, I checked it out. Remember folks, don’t click on strange links and leave that to daredevils or those of us with more than one operating system on a machine. The name told me what to expect out of the site and I wasn’t disappointed.

The home page above is of basic design, which will be important later on.

Return of the Russian Spam

A familiar pattern of false referrals has shown up in my September 2014 Blogger statistics making me wish there was a way to exile them to Siberia. Featuring a bevy of webpages originating from a site previously encountered, the spam is dedicated to parting you from your hard earned rubles.

While I don’t have any rubles to lose, precaution was taken in exploring the links. Firing up my trusty VirtualBox installation of Ubuntu 14 and using the TOR browser for anonymity I keep spam sites from looking at my real computer. Don’t try this at home unless you know what you are doing! It is best to never click on strange links.

Oh the irony of the first spam to hit my blog. http: // detective01 . ru / offers private investigator services of all kinds and would be somebody to hire to find out where spam is coming from in Russia. There’s just the small issue of them being spammers. Like quite a bit of spam from that country, it is connected to St. Petersburg and in this particular case the agency is based there.

Russian Spam Invasion

Things have been relatively quiet on the referral spam front for awhile, but the last month or so has seen an uptick in my Blogger stats. Most are not shown as links due to Google filtering, however the country of Russia is showing a ridiculous amount in my “Audience” figures. In fact, it is close to matching my traffic from the United States which is mostly legit.

Remember not to click on strange links in your Blogger stats because you never know where they will take you. Leave that to people crazy or skilled enough to safely investigate.

The latest spam from the Land of the Bear comes from a fake auction site. Oh you can really buy stuff there, but the timer is just a come on to influence you into an impulse buy. A long running con is magnetic bracelets for athletes and arthritis sufferers exploiting the placebo effect to work “miracles” through bogus science. Power Balance is one of those cheap trinkets being flogged at http: // power-balances . apishops . ru / proving that scams are universal or at least international.

Chatty Spam

A wave of referral spam recently hit my Blogger stats that looked like it might be real referrals, but as you have probably guessed from the title, it was spam again. The culprits are from freenode . net in two incarnations and I’ll be showing where the links lead to. Also included is some bonus spam involving the sex trade, travel, and an error message.

Remember to never click on suspicious links and leave that to those of us crazy enough to do so! You could end up with all sorts of nasty stuff on your computer.

Just What I Wanted: More Spam

While the blog hasn’t been hammered with referral spam recently, there have been a few drive byes. Also in the mix was an attempt at comment spam that shows how the Web 2.0 emphasis on social media makes it easy to establish a false identity on the Internet, thereby lending an appearance of credibility to a post.

Remember not to click on suspicious links, folks. Leave that to crazy people like me who use layers of security and virtualized computers to poke cyber hornet nests.

First up is from Russia, without love:

Trust Combat’s spam came in as http: // www . trustcombat . com / faq . htm and appears to be an SEO (search engine optimization) outfit wanting money to help boost your web page ranking. They want to help you so badly that they accept Bitcoin, Litecoin, Nextcoin, Primecoin, and Paypal for payment. Links to proxy services are also found on the site.

UPDATED: Taking advantage of Blogger’s ease of setting up blogs to fake a legitimate presence is nothing new. What’s new is trustcombat . blogspot. com showing up in my referral data, complete with a Google Plus account. Tips and tricks for link building and creating a fake social media presence along with every single link going back to trustcombat . com fill the page.

I’d steer away from them, nothing good would come of doing business with what looks to be a fly by night operation. While neat and tidy, this is a barebones site that probably was set up in an hour or so of work. Avoid clicking on this link if it shows up on your Blogger stats.

A Multicourse Meal of Spam

Though Google and Microsoft have made targeting spammers world wide a priority the last couple of years, the spam still keeps coming. That’s true for referral spam targeting blogs especially Blogger and Wordpress hosted ones. Clearing out my back log of more than questionable referrals highlights the wide variety of spam out there.

Remember folks to never click on strange or suspicious links in your referrals – or anywhere else for that matter. Leave it to people crazy or secured enough to investigate the trash that gets past the junk filters.

As an appetizer, I present a tastefully designed site, http : // hand-made-soaps . com / homemade-lotion-recipes /, that offers recipes and tip on making your own soaps. This is not something normally associated with spammers, since they tend to be a dirty lot who don’t get out of their small apartments very often. Looks bland enough, but it hides a potent kick.

Iconic Spam

Remember when making icons for apps was all the rage? You don’t?! Well, a flood of referral spam to my Blogger site has filled me with nostalgia for the Windows 3.1 era of the early 1990s. All of the following spam traces back to Aha-soft in Canada as the screen captures will show.

Remember never to click on strange referral links showing up on Blogger stats. Leave that to crazy people like me armored up with security, virtual PCs, and anonymous web browsing capabilities.

The spam deluge began with http: // www . badaicons . com/ which leads to a page selling icons for Samsung smartphone apps. Clearly this is aimed at developers creating apps rather than end users.

Digging deeper into the links, it turns out the pages are part of a larger site, www . aha-soft . com, with redirects galore from their many domain names. They appear to be a real company out of Vancouver, Canada selling royalty free icon libraries plus software to view and create them.

Forget Mystery Meat, How About Mystery Spam?

Just in time for the end of the year, I found a new referral spam in my Blogger statistics. http: // semalt . com / competitors_review . php? u= (then my blog address) is obvious spam due to it having text suggesting that someone is competing with my website and checking me out.

Using a virtual machine and TOR to be anonymous, I checked out the address. It only gets me to the home page where a requirement to register first stopped me cold. Of course, it wants you to log in using your Facebook, Google Plus, or Microsoft Live accounts. Oh, nothing suspicious about that, is there?

It offers to show you what your Google rankings are, which is interesting given that you can sign up for Google’s own tools for free to do the same. As the page loaded, I noticed that it loaded counter . yadro . ru , a Russian address I only fleetingly glimpsed. Some sites report this as a malware infection while others that it is simply a tracking site like Google analytics. Still a bad guy according to most, so consider it a red flag.

The privacy policy and terms of use pages are generic giving no useful information. There was no way I’d sign up to find out what lied beneath the barebones page other than to look at the source html. In there the meta description of the content bills the site as a “Professional keyword ranking monitoring service with competitor analysis. Fee plans.”  Also found in the code was the yadro address, so that is being loaded as a hit counter.

My advice to all who get a variant of this link in their statistics is to avoid clicking on it. Semalt is most likely only there to harvest data to access your email and social accounts with the possible additional goal of selling SEO (search engine optimization) methods.

UPDATE

I’m seeing more hits from this spam showing up in StatCounter now and they are coming from computers in different countries with differing versions of Windows and screen resolutions.  This means a bot net of infected computers is most likely being used to push the spam rather than forged addresses.

Please do not click on the link and if you have, run an antivirus program along with something like MalwareBytes or Spybot to make sure you haven’t been infected.

Analysis? Selling Links for Money Spam

Either I’m beginning to become a connoisseur of referral spam or I’m just bored with the usual offerings. Today brought something slightly different to my Blogger stats that piqued my interest: http: // prlog . ru / analysis / from-the-sidelines . blogspot . com . Having my blog address in the spam brings such a warm, fuzzy feeling. Wait.. no, that’s indigestion. Anyway, it was a blink and you’ll miss it hit and run.

Ever curious, I fired up my copy of Ubuntu on a virtual machine and used TOR to anonymously check out the site the link came from. Don’t try this at home unless you know something about security or reformatting your hard drive. Never click on suspicious links like this, leave it to crazy people like me.

Salary Comparison and Bitcoin Spam

With a sudden stop to the flood of Russian blog spam, I’d been feeling a little lonely this holiday season. But hey, Cyber Monday brought me a deal! UPDATED: Added links to articles on Bitcoin malware at end of post.

http:// www . amiricherthanyou . com / ec_recommended . php ?q=Oved&id=473535 arrived in my blog stats to assist me in feeling financially inadequate. Oh boy! Just what I wanted, more spam! Sarcasm aside, I was wondering why things had gotten so quiet lately. So firing up my trusty virtual machine and TOR, I checked out the link. Remember, don’t try this at home, kids. Never click on suspicious links or you will be sorry.

Surprise! The link took me straight to an ad for BitCoin trading. Yeah, that doesn’t look shady at all, does it? I’d have a better screenshot, but I forgot to maximize my browser and there was no quick way to get that site back – there’s a good reason for that I’ll go into later.

Strange Influx of Russian Spam, Part 3

Given how much I’ve already documented the new wave of Russian referral spam showing up on Blogger, I’m simply listing the new links as they come in. For more information on what this is all about, please see my previous posts here and here. In what may be a coincidence, vampirestats has been showing up in large numbers during the same time period. Also, I'm starting to see repeats of the same links, but they always register four times when they hit.

Strange Influx of Russian Spam, Part 2

Another day brought in another round of the odd referral spam to my Blogger statistics. Following the same pattern as the first batch, things took a turn toward the sinister once I started checking them out.  If you receive any of these in your referrals, do not click on the links!

http: // art-cs . ru / ?p=275 linked to a post on a Russian blog, just like all during this onslaught of faked referrals. This one does have phone numbers in one post, though I didn’t look them up. Last post was in September of 2012 and most of the posts were put up on one day.

The second of this wave was http: // etiketu . ru / ?m=20120907 which links to a blog about proper etiquette and how it helps in business. Like the farming site in the first wave, this one has an about page. Unlike that one, no name is associated with it. Instead a mission statement of promoting humanism and decency is present. This will turn out to be highly ironic.

It was last posted to in October of 2012.

Strange Influx of Russian Spam

November has brought cold winds with it and a flood of Russian spam on the 3rd. The false referrals on my Blogger stats lead to a  baffling variety of blogs. Only one is an obvious attempt to sell things, which makes it very mysterious that they all came at once. Oddly, all showed up four times with the exception of the first. All use Wordpress and none have ads placed on the pages, but do have LiveInternet statistics links.

UPDATE: Continued with a theory of why these are being sent out.

Now the individual links:

http : / /www . kyho . ru / was the first to arrive Sunday morning. I copied the link for future investigation and headed out to church. Little did I know that it was the first of a larger group of spam arriving through early Monday.

Firing up my virtual machines for safe and compartmentalized browsing, I found out I’d be using Google translate a lot in trying to decode the mystery. This site is dedicated to hair care with repetitive posts which raises suspicions of being an automated site scraping content from legitimate blogs. There are no comments and it is a barebones blog layout. It also was last updated in November 2011!

With no ads and no immediately visible malware on the page or in the source code, it looked like another case of zombie spam.

Again With the Spam

While there hasn’t been a lot of new spam hitting this blog (been a lot of vampirestats lately), there has been one showing up under two different links and one that showed up on another blogger’s site.

First up is the worst offender. Coming in as www . seoanalyses .com or under its real address,  ourmeets . com , this is a pornographic “dating” site. As you can see, it was blocked by OpenDNS, which I use to pre-filter anything coming into the house. Don’t click on it as it is exceedingly unsafe to visit.

Next up is one that commenter Sarma listed.

kallery . net out of South Korea looks like a real site at first glance, but digging further reveals that it sends you off to other sites where art is for sale. That’s a traditional tactic of cross promoting links used to generate ad revenue or of black hat SEO to up search engine rankings. Appears relatively harmless, but I advise avoiding.

Notice the art quiz winners on the right hand sidebar of the first screenshot. What are the odds that four of them would be links promoting the site? The mind boggles!

I wonder what percentage of Web pages in the world are actually spam sites? The search engines have enough trouble keeping up with the legitimate content being put up.

Spam from Google?!

Just a short report this time around on a strange referral spam that showed up briefly on my Blogger statistics. This time it was http: // dailydeal . de / gutschein-freizeit-ruhrgebiet-alpincenter-ski-tageskarte-060913

 

Checking out the spam in my trusty virtual machine setup revealed a professional site that held up under further scrutiny. A little research revealed Google owns the company which is a typical special offer promoting kind of place. DailyDeal was purchased by Google in 2011 and is based in Germany. Of course I’m not German, so talk about hitting the wrong target!

Now why would a false referral from a Google company show up in the first place?

This is where things get murky and necessarily go into the realm of speculation. My first thought is that the provider of the deal is trying to goose the results by paying a runner of a botnet to spam the listing. However, it is more likely a competitor to the tour outfit is engaging in negative SEO.

What is negative SEO? Search Engine Optimization is the process where a website builds up presence in Google, Bing, Duck Duck Go, Yahoo, and other search engines on the Web. Much is done by trickery in the HTML coding of a site, making sure keywords (short matches on content) are present in certain amounts.

The most tricky and dangerous optimization involves link exchanges so that it looks like the site is popular. Google has automated algorithms that periodically hunt down any behavior that looks like that. When a detection is made (real or false) an automated penalty is assessed against the webpage. This is all done by software and appealing to a human to quickly straighten out a false penalty is nearly impossible.

That means you can frame a competitor for building up paid links by purchasing said links. This is part of the “black hat” methods to boost your business on the Net by lowering the rankings in search results of your competitor. They can be dropped many pages in ranks by negative SEO.

While it is speculation, there is a higher probability that this referral link is pushed by someone other than the seller of the ski trips than something they did for themselves. However, they may have paid someone for SEO and that company may have engaged in bad practices.

So there is a mystery here that I won’t see solved. There are other possibilities including Blogger/Google getting the stats system screwed up to the point that an error caused the referral to show up.

At least this isn’t a dangerous or hostile site spreading malware.

Secret Spam

Everybody loves a secret, or so it is said. So it is no surprise that old marketing gimmick of using “secret” somewhere in the pitch showed up in some referral spam in Blogger stats. That means another chance to fire up a virtual machine and do some investigating. Don’t try this at home, kids.

http: // www . 7secretsearch . com / is the latest spam to hit and it promises all sorts of secrets to upping your web traffic. The big come on is a form where you can enter your website URL and find out how much it’s worth. Featuring a slick presentation it is an enticing trap, no doubt.

The wrong sized ads showing up in the right sidebar are another giveaway that this isn’t a really a professionally setup website. Poor placement of the title graphic resulted in a banner text ad overlapping it. But the best has to be more Google +1’s than Facebook likes. That is highly implausible, don’t you think?

There was no way I’d put my own website in there, so I decided to click on the Amazon entry. An impressive amount of data comes up including that the site has no threats reported and is “SAFE to browse.” Looks kind of legit, until you notice they are using Bing stats only. Yeah, like Amazon isn’t indexed by Google.

That last oversized ad raised a lot of red flags so I clicked on it.

Anytime something pops on a web page that says you need your system scanned, it is time to get out of there immediately. Systweak has been know to present a download of one program that turns out to be another which grants remote access to your PC. They are bad guys who will take your money and mess your computer up.

What I find amusing is that they had this ad show up when I was using Ubuntu to browse the site. Windows errors on a Linux machine is not logical.

So there are layers of shadiness to what’s showing up at 7secretsearch. Avoid at all costs.

Zombie Spam

I kind of wish the following referral spam had shown up in October so that I could have had a Halloween themed commentary. Instead it arrived in the middle of September. But hey, the undead always show up at the most unwelcome of times – sometimes repeatedly. At the time of writing this, http : // jetsli . de / crawler has shown up fourteen times in my Blogger stats for the day.

Using my trusty virtual machine running Windows XP, I checked out the link safely. Remember kids, don’t try this at home!

What showed up was a classic dead domain, which was mildly disappointing. Since the spammer had let the domain lapse, there wasn’t much evidence of what kind of money making scheme had been involved.

So I clicked on a couple of links anyway.

More Linkbucks Connected Spam

Some more referral spam has shown up on Blogger and one provided an unexpected connection to two earlier ones. The first was reported by commenter Charlotte and arrived as 0288c729 . qqc . co which leads to Linkbucks again like a link that started with ceae2122.

So what do you get if you click on that odd string of numbers and letters?

First up is an ad telling you that you absolutely need to download a download manager. Yeah, like that won’t lead to bad things on your system. Remember kids, don’t try this at home and don’t trust strange links. Never click on anything you don’t already know and that includes things sent by trusted friends.