It looks like referrer spamming is back and it’s more sophisticated than before.
I normally get a notification email from my stats package whenever I have had 100 visitors to the website. Note that’s 100 real visitors using browsers it doesn’t count crawlers or bots. I normally get two or three a day, I’m running at about 270 unique visitors per day.
I noticed yesterday that I was getting them about every three hours. That’s more than twice the normal rate and I don’t recall anything happening on the site to justify it. I was immediately suspicious and investigated.
On looking at my stats package (I use Power Phlogger) I noticed lots and lots of hits on my home page all with the same referer (an unsavoury site to which I shall not link!).
“Oh!” says I (to myself), they are at it again. “…Wait a minute! They never showed up here before!” And indeed they didn’t. You see I have my stats set up so that you need a browser with JavaScript enabled to log an entry in my stats. That way I get a count of real people and not bots, crawlers, and other automated visitors.
My next thought then, was that someone had come up with a referer spamming script that actually went so far as to decode the page and execute the JavaScript (loading another JavaScript file in the process). Hmmm… not likely really.
A closer look showed me that each visit was from a different IP address too. Again, I know that you can spoof IP addresses and even do it with automation, but then I noticed that some ‘visitors’ had visited the page more than once. In order for Power Phlogger to record that, you have to have accepted the cookie it sent and returned it with subsequent requests. I also saw that the user agent strings were spread across several different versions of Internet Explorer and on several different version of Windows. With different screen resolutions! Finally I saw that several visits seem to have come via legitimate ISP proxy servers.
No-one would write a referer spamming script that sophisticated would they?
The only conclusion I can draw is that this referral spamming is being done via trojan applications (or automated remote control), and is actually controlling Internet Explorer on the victims’ machines.
The implications for this are huge! Referral spamming is minor in comparison to what could be done.
Massive denial of service attacks that are indistinguishable from legitimate visitors? How about all those saved passwords on all those machines. If you have that much control of the victims machine then why not try to visit every single banking site you can think of and try to login. You may as well start with the favourites folder, the victims bank is probably already in there. Imagine someone with Passport configured! I could think of lots and lots more.
The mind boggles at the insecurity of Windows!