Block unwanted GA4 referrals - Google analytics spam

Ivan Radunovic

Feb 26, 20247 min read
Block unwanted GA4 referrals - Google analytics spam

Lately one of my GA4 properties started receiving huge spikes in traffic. Af first I thought success, but after checking channels I noticed they are all spam referrals coming from these sites:

  • grets.store
  • seders.website
  • razas.site
  • fertuk.site
  • mantero.online
  • bartikus.site
  • dertus.site
  • icopy.site
  • rida.tokyo

GA4 Snapshot of Traffic Spike

These are the main domains and they actually use many subdomains of these sites.

What is the purpose of GA4 Spam campaign?

Main purpose is to push you to visit one of these sites. When you visit, they'll serve malware to your browser.

I did a quick check of few of them, and at first they seam like traffic is from Poland. But deeper search discovers that they belong to some Russian hacking group, since all of their backlinks are from RU.

Backlinks on Google Analytics Referral Spam Domain

Virus Total and few other companies marked these domains as malware:

Virus Total results for a GA4 spam domain

How to they send traffic to your property?

I am using few other anlytics solutions like Plausible and they did not detect this traffic.

This means this malicious actors are directly posting data to the Google Analytics property without visiting the site.

After checking server logs and Cloudflare logs, I am positive that they directly triggered GA4 property and sent unwanted referrals to it.

Blocked referrals on Cloudflare

I wanted to be 100% sure so I created a WAF rule on Cloudflare to block these referrals. After 24 hours from deploying that rule, there were 0 tirggers.

Cloudflare WAF Rule to block referrals

And 0 triggers so far:

Cloudflare WAF did not fire

How to remove spam GA4 referrals

Visit Admin section of your GA4 property, open Data Streams:

Open Data Streams in Admin section

From the Data Streams pages choose the Web property you use, and scroll down to Configure tag settings.

Expand list of tag settings and choose List unwanted referrals.

Inside add list of main domains to block, like this:

Ignore referrals list

And Save.

This won't affect past referrals, but will block any future referrals.

Results after adding ignore referrals list

So far I am not seeing any new spikes in traffic.

GA4 traffic is back to normal.

Conclusion

There will be more of these GA4 spam campaigns and just when Google finds out a way how to block them hackers will create new attacks.

The most important thing is not to visit any link that is coming from the outside. This attack is no different than sending spam links in the email, it's just that hackers changed the delivery channel.

If you're really curious about the visit, first to a Google search, then search on Virus Total and other popular searches.

I personally never visit these sites, sometimes I send a 3rd party service to scan and screenshot the site.

Share
Author Photo
Ivan Radunovic
Ivan Radunovic is a Senior Developer with over 11 years of experience in web development. His expertise are Laravel SaaS solutions. So far he developed or took part in 300+ Laravel projects.

More Infrastructure tutorials

Get visitors real IP address when using Cloudflare Proxy

When Cloudflare Proxy is active our webserver will receive it's IP as a visitor IP address. This quick fix will help you get true IP.

Mar 03, 2024 Ivan Radunovic

Most used Linux commands - focus on Ubuntu

During development and in production you'll have to use many Linux/Unix commands. Working in terminal will speed-up your workflow.

Mar 01, 2024 Ivan Radunovic

Self host Plausible - Google Analytics open source alternative

Google Analytics is tracking only small portion of your visitors, because majority of them have adblockers installed. With Plausible on a custom domain you'll capture more visits.

Feb 23, 2024 Ivan Radunovic