Great Google Analytics numbers are not always what they seem. In fact, your sudden uptick in your rankings could be the result of a sneaky botnet deployed by a Ukrainian SEO startup, Semalt.
FREE Download: CISO Data Breach Guide
Incapsula researchers began noticing the scale of Semalt’s referrer spam campaign a couple of months ago. As part of the spamming ecosystem, referrer spam creates backlinks to a certain URL by using publicly accessed logs. Their dual function uses crawl bots to scan for vulnerable targets and spam to exploit these vulnerabilities.
The bots access hundreds of thousands of websites, sending out requests with synthetically generated “referrer” headers, and each of these headers contains the website URL the perpetrators are trying to give an SEO boost. The requests are automatically recorded in publicly accessible logs. Thus, when Google crawls these websites, it indexes the publicly accessible logs and treats the referrer value as a backlink, thereby boosting SEO.
On the surface, there are no immediate security threats or visible side effects, but the referrer spam is doing more long-term damage to SEO. Down the line, this damage can range from demotion in search engine results to complete search engine results pages (SERP) blacklisting and removal.
Enter Semalt. The Semalt bot can execute JavaScript and hold cookies, bypassing bot-filtering methods. In Google Analytics, this is classified as “human” traffic.
More recently discovered, Semalt is running a crawler using a botnet generated by malware that is hidden in a utility called SoundFrost. This has produced one giant botnet! Indeed, during the last 30 days, Incapsula saw Semalt bots attempting to access over 32 percent of all websites on their services, with spamming attempts originating from over 290,000 different IP addresses around the globe.
[wp_ad_camp_4]
Semalt is self-described as “a professional webmaster analytics tool,” but its suspicious business activities are not going unnoticed. Many people have started voicing caution on Twitter to other users about Semalt’s referrer spam botnet and analytics crowding methods. To keep it from further spreading, Incapsula added Semalt to its “Bad Bot” list, meaning that by default the site is blocked from all Incapsula accounts. Semalt’s unwanted behavior will not negatively impact Incapsula’s customers’ website performance.
By Ofer Gayer, Security Researcher, Incapsula
About Incapsula
Incapsula’s cloud-based Application Delivery service enables businesses to simplify their IT operations and reduce costs by consolidating multiple appliances and services into a single cloud solution. Enterprises get best-of-breed security, load balancing, failover and a global CDN, without having to deploy, manage and integrate separate products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.