Spam from Google?!

Just a short report this time around on a strange referral spam that showed up briefly on my Blogger statistics. This time it was http: // dailydeal . de / gutschein-freizeit-ruhrgebiet-alpincenter-ski-tageskarte-060913

 

Checking out the spam in my trusty virtual machine setup revealed a professional site that held up under further scrutiny. A little research revealed Google owns the company which is a typical special offer promoting kind of place. DailyDeal was purchased by Google in 2011 and is based in Germany. Of course I’m not German, so talk about hitting the wrong target!

Now why would a false referral from a Google company show up in the first place?

This is where things get murky and necessarily go into the realm of speculation. My first thought is that the provider of the deal is trying to goose the results by paying a runner of a botnet to spam the listing. However, it is more likely a competitor to the tour outfit is engaging in negative SEO.

What is negative SEO? Search Engine Optimization is the process where a website builds up presence in Google, Bing, Duck Duck Go, Yahoo, and other search engines on the Web. Much is done by trickery in the HTML coding of a site, making sure keywords (short matches on content) are present in certain amounts.

The most tricky and dangerous optimization involves link exchanges so that it looks like the site is popular. Google has automated algorithms that periodically hunt down any behavior that looks like that. When a detection is made (real or false) an automated penalty is assessed against the webpage. This is all done by software and appealing to a human to quickly straighten out a false penalty is nearly impossible.

That means you can frame a competitor for building up paid links by purchasing said links. This is part of the “black hat” methods to boost your business on the Net by lowering the rankings in search results of your competitor. They can be dropped many pages in ranks by negative SEO.

While it is speculation, there is a higher probability that this referral link is pushed by someone other than the seller of the ski trips than something they did for themselves. However, they may have paid someone for SEO and that company may have engaged in bad practices.

So there is a mystery here that I won’t see solved. There are other possibilities including Blogger/Google getting the stats system screwed up to the point that an error caused the referral to show up.

At least this isn’t a dangerous or hostile site spreading malware.

Secret Spam

Everybody loves a secret, or so it is said. So it is no surprise that old marketing gimmick of using “secret” somewhere in the pitch showed up in some referral spam in Blogger stats. That means another chance to fire up a virtual machine and do some investigating. Don’t try this at home, kids.

http: // www . 7secretsearch . com / is the latest spam to hit and it promises all sorts of secrets to upping your web traffic. The big come on is a form where you can enter your website URL and find out how much it’s worth. Featuring a slick presentation it is an enticing trap, no doubt.

The wrong sized ads showing up in the right sidebar are another giveaway that this isn’t a really a professionally setup website. Poor placement of the title graphic resulted in a banner text ad overlapping it. But the best has to be more Google +1’s than Facebook likes. That is highly implausible, don’t you think?

There was no way I’d put my own website in there, so I decided to click on the Amazon entry. An impressive amount of data comes up including that the site has no threats reported and is “SAFE to browse.” Looks kind of legit, until you notice they are using Bing stats only. Yeah, like Amazon isn’t indexed by Google.

That last oversized ad raised a lot of red flags so I clicked on it.

Anytime something pops on a web page that says you need your system scanned, it is time to get out of there immediately. Systweak has been know to present a download of one program that turns out to be another which grants remote access to your PC. They are bad guys who will take your money and mess your computer up.

What I find amusing is that they had this ad show up when I was using Ubuntu to browse the site. Windows errors on a Linux machine is not logical.

So there are layers of shadiness to what’s showing up at 7secretsearch. Avoid at all costs.

Zombie Spam

I kind of wish the following referral spam had shown up in October so that I could have had a Halloween themed commentary. Instead it arrived in the middle of September. But hey, the undead always show up at the most unwelcome of times – sometimes repeatedly. At the time of writing this, http : // jetsli . de / crawler has shown up fourteen times in my Blogger stats for the day.

Using my trusty virtual machine running Windows XP, I checked out the link safely. Remember kids, don’t try this at home!

What showed up was a classic dead domain, which was mildly disappointing. Since the spammer had let the domain lapse, there wasn’t much evidence of what kind of money making scheme had been involved.

So I clicked on a couple of links anyway.

More Linkbucks Connected Spam

Some more referral spam has shown up on Blogger and one provided an unexpected connection to two earlier ones. The first was reported by commenter Charlotte and arrived as 0288c729 . qqc . co which leads to Linkbucks again like a link that started with ceae2122.

So what do you get if you click on that odd string of numbers and letters?

First up is an ad telling you that you absolutely need to download a download manager. Yeah, like that won’t lead to bad things on your system. Remember kids, don’t try this at home and don’t trust strange links. Never click on anything you don’t already know and that includes things sent by trusted friends.

Sailing the High Seas of Spam Piracy

No, this post isn’t about hijacking trucks coming out of Hormel’s canning plants.What I’m on about is the latest referral spam to visit Blogger’s stats for From the Sidelines, http : // getfilesme . com / UPDATED 19 Oct 2013 to include filesw8 . com

 

First off, don’t click on the referral if you see it, there is no point in feeding the spammers and associating yourself with piracy if the government comes snooping around on behalf of the entertainment industry. You also don’t know what you could catch from visiting such sites since they are a favorite way to spread trojans, keyloggers, and all sorts of malware. In other words, don’t try this at home kids.

UPDATE: A nearly identical site showed up today as filesw8 . com and I have no doubt it is put up by the same people. Stay away from it too.

More Polish Spam

It seems I’m getting more referral spam linking to websites in Poland than anywhere else these days. The latest is http : // butyairmax90 . pl / which leads to a Nike shoes site (via my virtual Windows XP machine):

How much you want to bet these are knockoffs and not the real thing?

Wrist watches have long been status symbols, so cheap copies of Rolex’s is something one expects. However, the rise of the expensive running shoe has been something that has occurred in my lifetime and is extremely silly to me. There is money to be had there no matter what my viewpoint is so this kind of spam is getting common.

Do not click on the link if it shows up in your Blogger stats or emails!

A Couple of Drive-by Spams

We all notice the spam that hammers our referral statistics on Blogger’s control panel. But there is spam that only hits once or twice and is only seen if you are there at the right time. A couple of cases of these “drive-by” spammers were seen by me this week and you couldn’t get any different in what they were promoting.

First, one that hit today: http : // girlswithglasses . blognet . pw /

This happens to be hosted on blogger but with a name like that I was suspicious and fired up my virtual machine. Sure enough, it is a porn site looking to make money off of clicks. Do not click! Needless to say, there won’t be a screen capture.

The other one was suspicious since it looked like it was masquerading as a legitimate site: http: // quitcoal . org / node / add

Well, it is a legit site. This is a Greenpeace run anti-coal page and it appears someone was trying to make people who clicked on the link automatically join the petition/site. Of course that’s an error message you see in the screen shot, so that forced recruitment failed.

Political referral spam, this is a first in my experience. I’m sure the individual responsible felt righteously motivated and justified in saving the planet. However, a policy of the ends justifying the means always leads into darkness and soon the would be do-gooder is a force of evil rather than good. In other words, a spammer.

By the way, I included the entire virtual machine window to show off my new way of flirting with disaster (cue Molly Hatchet) – checking out sites with Windows XP. The installation is setup to be roughly what an average user would have in the way of security to see what kind of nasty infections I can get from these sites. It’s actually a clone of a clean installation too, so I can do this without any hassle of reinstalls.

A Change of Pace: Porn Spam

It’s been awhile since porn site referral spam showed up and today a false Blogger referral showed up from http: // asian . erolove . in / The title gives away the content right away, so don’t expect screen captures. A simple rule is that anything that has “love” or “ero” is going to feature pornographic material.

Strange as it may sound given my disapproval of pornography, this was almost nostalgic because I remember when porn spam and letters from Nigeria asking for banking help were the norm. These days weight loss and get rich quick schemes dominate with attempts to sell pharmaceutical products right behind.

One of the most bizarre things I’ve run into has been the flood of email spam from a Canadian pharmacy trying to sell Viagra and similar products.

“That doesn’t sound bizarre” you say thinking about your email account’s junk filter. What made it strange is that it posed as a lot of different things in the titles including weight loss, celebrity scandal information, and -- porn. It used to be the porn masquerading as something else! We live in a bizarre world.

Don’t click the referral!

A Failure to Load a Spam Site

While I post about referral spam as a form of public service, I sometimes get sites that won’t load right in my Linux based virtual machine. I can’t tell if the error is due incompatibilities or attempted shenanigans by the spam site.

http: // ceae2122 . dyo . gs / is once such site that appeared in my Blogger stats today. It goes straight to LinkBucks and is supposed to be a video. When I clicked on the video it wanted me to update my video player.

It looks like an ad before the actual destination, but curiosity led me to see what would happen if I clicked the button. First came instructions and then it got interesting:

It wanted me to download and install a customized version of VLC player. Being very familiar with that software, I recognized that isn’t the real release file. Not being interested in cleaning up an infection when I haven’t even gotten to the final destination, I canceled that.

So where did clicking “skip this ad” end up taking me?

Well that’s disappointing. I have no clue what it was supposed to be thanks to the server error. It could be a missing destination for all I know.

LinkBucks is a very shady bunch and to be avoided like the bubonic plague anyway. Don’t click on anything going to them!

I really need to get ReactOS or WindowsXP running in a virtual machine for some of these investigations.

Comment Spam in the E-mail

The experiment with removing bot checks from commenting continues and so does the spam in my email account. Always posing as an anonymous commenter, it only shows up in my Gmail account but not in Blogger. So at least some of the filters are working. That’s the only silver lining since I have to check each email out.

Once again it is time to fire up the virtual machine with Ubuntu on it to do some investigating. Here are some examples and where the links lead to:

Anonymous has left a new comment on your post "Howl’s Moving Castle (2004)":
Cygiefiania xaikalitag icergeallonia [ url = http: // usillumaror . com ] iziananatt [ /url ] Juicillenna http: // gussannghor . com EnedonoMory

The first link is embedded in xaikalitag and is ww2 . wikaswieier . com which throws up an error message. The secong link gets the same result.

The third time is the charm and we get to see a fake search engine made to mine money from click referrals.

Time for Some Polish Comment Spam

One of the best reasons to enable Recaptcha aka the oddly colored and jumbled letters in the comments form is the fact you will very quickly see spam show up in your comments if you don’t. I moderate every post and had done this to save time though it does stop real people from commenting due to frustration deciphering the text.

To make it easier for people to post, I disabled the Turing test last night. At 2:17 AM this morning, the following arrived in my mailbox (edited to defeat autolinking):

Anonymous has left a new comment on your post "Godzilla vs Biollante (1989)":
[ url = http : // www . page1 . pl] pozycjonowanie [/ url ]

Needless to say, that looked suspicious sort of like a masked man robbing a bank does. Firing up the trusty virtual Ubuntu machine, I investigated the link which led to a very professional looking site put up by a company called Arteria.

It’s a rather large page involving a lot of scrolling, so I present only the top and bottom of the content. I’ve edited out the actual contact information which includes an address in Krakow, Poland.

Courtesy of Google Translate, the opening text in English:

As you have probably guessed, they are selling something. In this case, SEO optimization and placement. What’s SEO? Search Engine Optimization. That’s why they are spamming websites, hoping to get someone wanting higher traffic to pay them for their services.

If you are a webmaster or blog owner, do not click on this and feed their shady practices.

UPDATE: Turns out I missed another comment spam from a mere hour or two after I disabled the robot check. What’s hilarious here is that the link goes to a page that no longer exists:

Anonymous has left a new comment on your post "Howl’s Moving Castle (2004)":
When some one searches for his essential thing, so he/she wants to be available that in detail, thus that thing is maintained over here.
My weblog: southwest florida art galleries

atlcurling . info / wiki / index.php?title = User: JZFLourde

Once these spambots are set loose they seem to keep going long after the site is dead. I wonder how much zombie spam is out there?

Referral Spam Overload

Updated 15 July 2013 with screen captures and testing Tor for browsing.

A very quick post; referral spam went nuts the past 24 hours on the blog totalling 35 hits. The culprits:

adsensewatchdog . com

This is what it looks like without Tor and NoScript. A wide index of terms so they get hits. Just another fake search engine riding the real ones to get traffic and money for pages served.

With Tor (an untrackable browser) and NoScript it looks completely different. Fancier parked graphics and no links.

Spam and an Apparent Pyramid Scheme

Commenter Charlotte gave a heads up that a new spammer has shown up in Bloggers stats so I checked it out several days ago. I didn’t get the spam myself and wasn’t feeling the love from referral spammers. Then the last 24 hours produced 22 spam hits of various kinds including the new one awsurveys . com / ?R=1070526 which showed up seven times. I guess they still love me. Is this what they call “bad love”? UPDATED with another link being used and a shady service connected to it.

So I fired up my virtual PC and checked out the link. Remember folks, don’t try this yourself! Clicking on referral link spam can cause any number of problems including getting you computer infected with malware.

Old Spam Is Still Indigestible

Getting back to posting reviews is turning out to be harder than I expected and the new rounds of referral spam have taken up time meant for writing on other topics. The latest to hit by Blogger stats is from newsuc . com and according to DuckDuckGo it is a parked domain which means no real content is hosted there. The page showing up from this dedicated to spamming site is newsuc . com / blog / blog1 . php / 2009 / 07 / 20 /giant-quake-tsunami though there are several others at the site.

I fired up my virtual machine (VM) running Ubuntu for safe investigation of the site and to take screen captures. Remember, don’t click on the links from newsuc! What I found looked like a real blog, if out of date by three years. But why would they be linking me now?

A Tricky Bit of Spam

Spammers apparently never sleep and so it isn’t long before a new referral spam hits Blogger or an old one appears under a new link.  This particular one is a new one to me and came in as t . co / 1kXhhiBfBE using a shortened Twitter link. So what is it really?

A misogynistic offer to teach men how to seduce women. Apparently it is a video and the format looks all too familiar. The content is different, but I never did see the presentation due to this:

Firefox on Ubuntu failed to install when the camera icon was clicked on. Children don’t try this at home! Digging into the page source code revealed the video link claims to be in SWF format but as you can see, nothing happened. If it is malicious code aimed at Windows, it found the wrong operating system to play with.

Finally, when you try to close or back out of the page, the javascript launches this appeal to the profoundly desperate. I’m sad to say this will actually work on some guys.

UPDATED: This is now coming in as a full address, thetaoofbadass . pw / ?a_aid=517d032416eac which makes it seem even more silly.

Looking at the source code (with no expertise on my part) was revealing in that this appears to be a prefabricated template complete with instructions. A talented coder will glean a lot more than I did, but it shows just how polished the malware and spam pushing has gotten. It is all very professional now and it seems that the weight loss spam used the same form.

Ohbelog Referral Spam

So I see a Malaysian website on my Blogger stats today and couldn’t resist seeing what the latest spam was. It turned out to be a very interesting place to investigate. An ornate trap is what I would describe ohbelog . com as. At first look it appears to be a social media aggregate site where you can vote up or down on different links.

It’s flashy and oh so modern:

Scrolling down reveals that not a lot of voting is going on and clicking on some of the subsections in the menu nets these results:

Notice anything suspicious yet?

A Source of Referral Spam

Ever wonder where the strange links in your Blogspot stats come from that don’t really link to your blog? Ever wonder why someone would do such a thing? Wonder no more.

r-e-f-e-r-e-r . com showed up on my stats today and this site blatantly lays out what is going on. For $29.95 you can spam forty million websites with links to your site to artificially drive traffic – or at least that’s what they promise. You may have heard of similar schemes for Facebook likes and Twitter follows to boost apparent status.

Screen capture follows and is safe to click on:

The part selling ads pointing out mostly webmasters visit this site is something I find vaguely hilarious. Most won’t be pleased to be visiting, I suspect.

Please don’t help them out by visiting their site.

Topblogstories Referral Spam

Another round of spam has hit the blog stats page and this time it is a link to a purported hookup service for the sexually desperate. Okay, it doesn’t say that, but that’s how I view it.

topblogstories . com / led me to this page:

Link to NSFW screen capture, but not pornographic image.

topblogstories . com / 18331&c=3 led to virtually the same page:

Link to NSFW screen capture, but not pornographic image.

Notice the javascript coding picks up where your IP is from. I suspect false advertising given the number of breasts promised.

As usual, do not click on the referrals! I hope your mother warned you about these kinds of girls…

…and hopefully you will warn others about these kinds of spam.

UPDATE: The first link now leads to a topless photo. It may be that they rotate them, but be warned it is now very NSFW!

UPDATE 2: Seeing another round of it with a small variance. Persistent, aren’t they?

topblogstories . com / 7293&c=6

UPDATE 3: Thanks to the efforts of commenter Edgar Bangkok there are more details on the spammers, both methods and probable location in Ukraine. He’s posted detailed analysis at his blog in two posts:

The first one shows how javascript is used on the webpage.

The second post drops shows the topblogstories spammers are now targeting Google Analytics and shows sublinks going to AdultFriendFinder and Damned Love.

If you don’t read Italian, you’ll need to use a translation service such as Google Translate to read his posts.

New Page Index for Spam Posts

Since I’ve gotten a lot of views on posts about referral spam on Blogger and not many people click on tags, a new page has been added at the top under the blog title graphic to make it easier to find those posts. Spam, Lovely Spam is the page and also includes links to posts on other scams and spamming.

These aren’t the kind of posts that one would hope would be popular on a blog, simply because it would be a better world if it wasn’t necessary to identify the garbage filling our Blogger referrals. Being a strong believer in service, I’ll continue to add info as new spam shows up.

I’d say read and enjoy, but…

Weight Loss Referral Spam

It seems to be a week of heavy traffic in Blogger referral spam and I wish there was a diet we could go on to lose it. The latest links to a video from a chiropractor and “wellness expert” calling himself Dr. Charles from Fishers, Indiana.

current . com / 1rhh7kc is the link showing up today, but it has also been showing up in large quantities as www . filmhill . com / redirect . php?url=http:// flf-course . com?a_aid=510d2acc92117&a_bid=6f93443e for some time now.

UPDATE 1: Now it is coming as vk . com / away . php?to=http %3A%2F%2Fflf-course . com%2F%3Fa_aid%3D51893d1ad4b02&post=18068744_31

UPDATE 2: Once again the link has changed, this time to appear to be coming from LinkedIn. www . linkedin . com / redir / redirect?url=http %3A%2F%2F flf-course %2Ecom%3Fa_aid%3D517d0f042c205&urlhash=e75j

UPDATE 3: As of June 26, 2013 a new link has appeared: http:/ /t . co/ MaAptuGFVu that is of course the same video.

UPDATE 4: July has found the video making its way into referrals again, this time as blogsrating . pw/ An interesting thing happened when I loaded the site – it ran a very long load with many blogspot addresses going by in the info bar of the browser. I’m no code expert, but I wonder if it uses every hit on the site to send further referral spam hits to our blogs.

Also, it appears to be using Russian resources, surprise, surprise.

Screen capture of the Current version:

Screen capture of the Filmhill version:

Yep, it’s the same thing with only the sidebar being different.

I should also note I had to “hard” shutdown my virtual Kabuntu session to get out of the second link. Whether that has something to do with my video card drivers or the site I can’t say, but I don’t advise visiting the sites. Besides it’s just another scam to get money out of you.