Check your GA4! Referral Traffic spike from News.Grets.Store and a solution to deal with it - The Daily Dose of Digital - 19/02/24

Check your GA4! Referral Traffic spike from News.Grets.Store and a solution to deal with it - The Daily Dose of Digital - 19/02/24

This will be a quick update from me! Whilst checking some of the many GA4 accounts I have access to, I stumbled across a significant spike in referral traffic in the past few days on a number of accounts.

Note: This article now features a number of updates as the wider community get to grips with this absolute nonsense!

Where is this referral traffic coming from? Is it even traffic?

After further investigation, it seems to be coming from a very specific source: "news.grets.store" - this is not a legitimate website, or even a spammy backlink blog/news site, but it appears they are firing people's GA4 tags directly, causing a spike in 'referral traffic' with no time on site, no engagement etc - as you can imagine, this significantly impacts many metrics so is definitely worth trying to block or at least minify impact on reporting accuracy!

What the heck are they up to? Why send ghost referral traffic?

Well, this is the million dollar question here. Referrer/referral spam targets Google Analytics (GA) and other analytics platforms. Its purpose is to send fake traffic data to analytics accounts, making it appear as if a large amount of traffic is coming from specific referrer websites. (Thanks to a number of subscribers who shared their input on the info below!)

The primary goals of referrer spam in Google Analytics 4 (GA4) and its predecessors include:

  1. Promotion and Visibility: The spammers hope that by flooding your analytics with their URLs, you will become curious and visit their sites. This increases their site's visibility and traffic, albeit artificially.
  2. Link Building: By appearing in your analytics, these spam URLs get backlinks from websites that publish their traffic data publicly or share it unknowingly. This can artificially inflate the perceived authority and ranking of the spam domains in search engine results.
  3. Malware and Phishing: Some referrer spam is designed to lure webmasters to malicious websites that can infect their devices with malware or trick them into providing sensitive information.
  4. SEO Manipulation: By generating a large number of fake visits with specific keywords, spammers can attempt to manipulate search engine rankings. This practice is less effective directly but can be part of broader black-hat SEO strategies.
  5. Affiliate Fraud: Spammers might use referrer spam to create fake referral traffic to sites offering affiliate programs, hoping to earn commissions on these bogus referrals.

How do we block or remove this ghost spam referral traffic?

Spike in referral traffic from dodgy referral source

To block this from registering any more sessions/views, I have gone into the admin settings for the account and blocked traffic from this as follows:

  • In GA, navigate to > Admin
  • Then navigate to > Data Collection and modification tab > data streams >
  • Then click on the affected site/data stream >
  • In the slide-out window visit > Configure tag settings >
  • Then click on show more > List unwanted referrals >
  • Then where it says 'Referral domain Contains' enter > news.grets.store >
  • Now save this.

This will stop any new traffic being registered in analytics from this source - however, doing this CAN lead it to still show, but as DIRECT traffic instead, so it is worth considering how to omit this from reports ongoing using filters/segments.

Also, old data will remain.

So, to exclude it from your reports you will need to create a filtered segment (this is a similar exercise to when blocking traffic from certain bots etc).

  • Go to Explore mode
  • Open a new/existing exploration > Create a new Segment >
  • Choose user segment > Add new condition > Page Referrer > Add Condition > does not contain > news.grets.store
  • Be sure to name the segment to make it easier to find later.
  • Click Apply

After this, you'll need to select this segment in the exploration view to apply the rule and exclude this dodgy referral traffic. You can also use filters to temporarily help where needs-be.

Referral traffic removed from view

Unfortunately, you may still see some of this referral traffic in 'Live/Real Time' view, but at least you can report more accurately with this method.

This, of course, will impact any other dashboards and reporting you may have in Looker Studio etc so it's worth applying filters and segments in these too. Quite the job!


UPDATE 21/02/24: Blocking this referral source via tag settings may just set it as 'direct', consider filtering out IPs...

It has been noted that technically, the above method for blocking the ghost traffic might not go far enough as Google may read this now as direct traffic instead (TBC) - however, there may be one more failsafe to stop this traffic from registering in analytics: Blocking the IP addresses by flagging them as internal traffic. Google's guide can be found here .

  • In GA, navigate to Admin > Web Stream Details
  • Select your Data Stream > Configure Tag Settings

Define Internal Traffic

  • Show More > Define Internal Traffic

Add IPs to block

  • Then click Create > complete the configuration fields including a name and apply the IP addresses. From my research, these show as 77.222.40.224 and 45.140.19.173 (although as rightly pointed out by peers, this may not be the same for everyone).
  • Save and apply this.

You'll then need to ensure this filter is included in the account filters.

Define internal traffic and set as active

As Kim Kuhlman, PhD pointed out in a comment , you may want to block these as IP ranges rather than specific IPs as they will likely be shifting IP addresses / using dynamic IPs to be even more disruptive. To do this, select IP in range, and use a "/" reference at the end:

Please note, this is just one possible way to resolve the challenges from this kind of ghost / spam traffic from this one particular source. I appreciate there are still some issues here and this solution may not be robust enough for everybody.


UPDATE 23/02/24 - Reports of other domains sending referral traffic - how to find their IPs to add to above solution:

There have been reports of more users experiencing additional URLs taking this same tactic! These include (URLs obfuscated with x's so you don't click on them and they don't get a backlink etc!):

  • info.seders.websxxx / referral
  • ofer.bartikus.sitx / referral
  • game.fertuk.sitx / referral
  • garold.dertus.sitx / referral
  • kar.razas.sitx / referral
  • and more...

I have been asked a few times how you can see IP addresses. One method is to use https://who.is to find out the registrar details. By looking into the Whois data, the DNS records and Diagnostics, a number of IP addresses will show. For example, for "ofer.bartikus.sitx":

Who . is. data for one of the dodgy domains
DNS records for the dodgy domain

My only suggestion here would be to consider blocking these as 'internal traffic' via the IP addresses shown, as in the steps above, and to omit the traffic through segments/filtering.


UPDATE: 24/02/24 - Google Tag Manager Solutions

Please check out the next issue where we explore solutions in Google Tag Manager which may work: https://www.dhirubhai.net/pulse/new-solutions-newsgretsstore-other-ghost-spam-referral-james-gray-miwme


I genuinely don't know when/how this could end, or what the heck they're trying to achieve from it, but let's keep sharing ways in which we can resolve this disruptive digital behaviour!

I hope this has helped if you too have noticed a crazy spike in referral traffic today! Did you see something similar in your accounts? Let me know if the solutions have helped in the comments! Or if you have any other solutions.

John-Pierre Cornelissen

Websites voor restaurants en andere horecabedrijven ??

2 周

I found these spikes for March 2024 when looking at a traffic report from last year. Looks like Google is blocked them now. Universal Analytics used to have the same issue. Back then, I added rewrite rules to .htaccess to block these sites. It's easier to create the rules once and copy & paste them across the sites you manage. The rules go like this: RewriteEngine on RewriteCond %{HTTP_REFERER} ^http(s)?://([^.]+\.)*grets.store [NC,OR] RewriteCond %{HTTP_REFERER} ^http(s)?://([^.]+\.)*seders.website [NC,OR] RewriteCond %{HTTP_REFERER} ^http(s)?://([^.]+\.)*razas\.sit/ [NC] RewriteRule .* - [F,L]

Pamela Dean

Open-source Intelligence Analyst | Security+ | Network+ | 4x KASE Scenarios OSINT Badges | 10x Hacktoria OSINT CTF Badges | Featured Hacktoria YouTube Channel CTF Write-up Solution Author | Owner & editor hacktress.com

7 个月

Hi James, I was excited to read this article a few weeks ago as I was experiencing something similar with my business website and referral stats. In my case, I am getting referrals from a proxy server whose IP range is Cloudflare so I can't block it. I wrote a post about it yesterday. If you can, would you be able to give it a read and let me know what you think? If not, no worries! Am trying to find a work-around. Thank you!

Dolphin Neurostim

An innovative, easy-to-use, drug-free alternative device for pain, scars, vagus nerve stimulation and much more.

8 个月

Thank you

Thanks for this!

回复
Frances Weaver

Senior Web Architect, Analytics & Tag Implementation

8 个月

I really don't think using "List unwanted referrals" is a good solution. It's meant for X-domain tracking and does NOT filter out the spam traffic. Instead it changes the source/medium from news.grets.store/referral to direct/none, which would create more confusion. Bottom line is we want to EXCLUDE it from our analysis, so segmentation is the right way to go.

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了