Unusual Spike in Russian Language Traffic
Account: Mason Office of Communications and Marketing 01
Property: www2.gmu.edu
View: [PROD] www2.gmu.edu – default 1.0 (2007-10-12)
Report: Audience -> Geo -> Language
Date Range: Nov 1, 2016 – May 31, 2017
Filter: Language = “ru”
That’s weird.
Zoom in on date range.
Date Range: Feb 23, 2016 – Mar 1, 2017
Add secondary dimension to see where these visits are coming from.
Secondary Dimension: Full Referrer
Lots of Russian-language visits from a Vice.com article?
motherboard.vice.com/en_us/article/nz9nmw/google-wins-legal-battle-against-pro-trump-spammer-over-the-letter-g
“In the run up to the US election, Popov, who disputes whether he’s a spammer under US spamming laws, flooded users’ Google Analytics with unwanted messages, including some expressing support for then presidential candidate Donald Trump. He followed up with a wave of messages linking back to a Motherboard article describing his antics.”
Let’s zoom out on date range a bit, and see what else vice.com has sent us.
Unusual Referral Traffic from Vice News Website
Account: Mason Office of Communications and Marketing 01
Property: www2.gmu.edu
View: [PROD] www2.gmu.edu – default 1.0 (2007-10-12)
Report: Acquisition -> All Traffic -> Referrals
Date Range: Nov 1, 2016 – May 31, 2017
Filter: Source = “motherboard.vice.com”
Secondary Dimension: Full Referrer
Two of these referral sources are spam. The articles in question don’t actually link to us.
One of these referral sources is real. The article actually does link to us.
motherboard.vice.com/read/this-pro-trump-russian-is-spamming-google-analytics
“As Analytics Edge reported in November, websites have noticed referrals from lifehacĸer.com and ɢoogle.com. Check those URLs again; they are not the real Lifehacker or Google domains.
Instead, Popov has registered websites that use the latin version of letters, meaning he can get a URL that looks very much like google.com, but directs visitors elsewhere. And Popov has been including pro-Trump messages in his spam.”
www.analyticsedge.com/2016/11/heres-a-secret-%C9%A2oogle-com-is-not-google-com/
“Google Analytics has become a great target for spammers, where they leave fake traffic that draws unwary web site owners to investigate where it came from. This week one of those spammers left a ‘Vote for Trump‘ message in many people’s analytics reports. What most people didn’t notice was that the website it referenced looked like secret.Google.com…but it wasn’t.”
“ADR Forum, the arbitration body handling this case, agreed.
‘Having established all three elements required under the ICANN [Internet Corporation for Assigned Names and Numbers] Policy, the Panel concludes that relief shall be GRANTED,’ ADR’s decision reads. ‘Accordingly, it is Ordered that the <ɢoogle.com>domain name be TRANSFERRED from Respondent to Complainant.’
Let’s look to see if we can find his original spam as reported by Analytics Edge.
Pro-Trump Russia Spam
Account: Mason Office of Communications and Marketing 01
Property: www2.gmu.edu
View: [PROD] www2.gmu.edu – default 1.0 (2007-10-12)
Report: Audience -> Geo -> Language
Date Range: Nov 1, 2016 – Dec 31, 2016
Those are not normal language field values. Let’s filter for just those unusual visits.
Filter: Language = “oogle|Trump” (Note that we are not using the “g” character.)
This guy has been busy!
- In the lead up to the election, he sent spam traffic which included a link to a questionable domain name and included a pro-Trump message. He finally got around to turning-off this traffic shortly after the election (Dec. 2, 2016).
- In early December, he sent spam traffic linking to another questionable domain name purporting to be some kind of search engine. More info: Easily Prevent All Spam Like “o-o-8-o-o.com search shell” in Google Analytics
- In mid-December, he switched to sending spam bragging about his exploits.
- In late December, he sent spam congratulating “Trump and all americans”.
- Finally, as we saw above, he then switched gears in 2017 and started spamming traffic appearing to be referrals from the Vice.com articles about his activity, which is how I originally found him.
So now we all know who this guy is, which is exactly what he wanted in the first place.