Saturday, June 10, 2017

The Ukrainians From ZRus Who 'Read' My Blog

If you are a fellow user of Blogger or a similar platform, then you have probably noticed that you get a significant amount of traffic from websites in Ukraine or Russia, many with the specific domain name zrus.org.  You're probably curious about who these Ukrainians linking to your blog might be.  You may even be a little bit flattered that your tiny blog is getting international recognition.

Don't get excited, and whatever you do, do NOT click any link to these websites.  This is a well-known scourge on the blogger community, and clicking the links could infect your computer with malware.

These sites are a malicious scam.  Let me explain how this scam works.


In your Blogger dashboard, under the "stats" tab, you can see a list of referring traffic.  This might be from twitter, facebook, reddit, other blogs, maybe even news publications depending on how popular your site is.  It will also show a number of hits from each source.

Most bloggers on Google's service use this built-in feature to check their blog's traffic - sometimes obsessively.  When you see someone linking to your blog, you want to know why.  You want to click the link there to see what they may have said about your blog post.  And the scammers know this.

They create a webpage, and from that page they generate re-directions to your blog. This is done with computers, and does not mean any actual person in Ukraine ever saw your blog.  I've noticed sites like zrus.com and the rest of the Russian cottage-industry of reverse-traffic scamming like to use exactly three page views.  Some days, I have a long list of zrus.com sites, each with exactly three pageviews.  (After this post they may change the number to obscure themselves.)

I'v never clicked any of these links, and neither should you.  Here's why.

When you click the link, you will be redirected to a page that is an advertisement (usually for pornography).  The page also usually contains malware such as trojans or worms that will embed in your computer if you aren't careful.  Nowhere on the website will there be any mention of your blog post, or any link to it, or any people commenting or discussing what you said.

It's just an advertisement with some malware attached.

This is an old scam.  Before zrus.org, the leader was vampirestat.com, which thankfully has been staked to death.  They then spawned a number of others, such as zombiestat, uglystat, mobsterstat, etc.  It was exceedingly frustrating, and many bloggers (myself included) complained loudly to Google for continuing to show these malicious links in our stats menu.

Eventually, Google fixed the problem.  I don't know if they blocked those sites from trafficking their users' blogs, or if they just stopped showing the links in their users' stats pages, but eventually the scourge of vampirestate went away.

However, in the past year, I've been seeing it return (with new domain names), and it's just as annoying as always.

The problem continues to spread because people continue to click on the pages.  Unless you have admin control over your server and domain, there's not much you can do to stop them from creating malicious traffic to your blog.  So here are some things you can do:

1. NEVER, EVER CLICK THEM!!!  This is the most important thing I can say.  For one, for the health of your computer.  For two, because this only works because people keep clicking the links in their stats page.  If we stop clicking the links, this technique will become less successfuly and thus less common (like Nigerian princes, it will probably never truly go away).

2. Always search for unknown domain names before clicking any link in your stats page.  Because of my blogs one (1) popular post, I sometimes get traffic from strange places I've never heard of before.  I never, ever click the link in my stats page, and instead look up the domain first to be sure this is an actual website and not scammers in Ukraine.  If the search shows nothing but whois requests or visitor reports or the domain itself entirely in Russian, then you can bet the ranch you aren't getting legitimate traffic from them.  DO NOT CLICK THESE LINKS even in your search results.  Don't click so-called traffic verifiers about these links either.

If you can't tell what these referring sites are from a quick Google search, then there is no reason to open them at all.

As an example, here is what my traffic looks like at the time of writing:

You see some zrus.org sites on there.  Those are entirely malware reverse-traffic scams.  An internet search for zrus.org will show only the main domain, and lots of lists of referral traffic on other websites or sites claiming to tell you who zrus.org is (don't click those either).  However, also in thus result is Yandex, which is Russian language, but a search of Yandex will show you a nice Wikipedia page explaining that Yandex is a search engine -- basically the Russian Google.  That's a legit hit (though there still isn't any reason to click it).

You'll also see some legitimate traffic there, such as google, facebook stumbleupon, the Brazillian-language blog  showdomedo.blogspot.com.br, as well as strangerdimensions.com.  For both of those last two sites, I actually verified through a search beforehand that they were legitimately citing my blog before I ever clicked on them (and they are, and are both neat sites -- if you like science fiction or multiverse ponderings, check em out!).  [Edit: I unlinked the links to there when I realized it would show up in their reports as referral traffic when it wasn't really relevant, but do check them out]

The point is that not every unknown source of traffic is bad, but some of them are, so you should verify first before clicking a link.

Here's another list for completeness:
 

You see another zrus.org site, but also some weirder ones, like wttavern.com and your-bearings.com. Both of these are reverse-traffic scams, though perhaps more benign ones.  For instance, your-bearings is apparently some kind of store for bearings, and there's no reason for them to be linking to a blog about fantasy and science.  These may be part of a traffic-direction campaign -- don't click on those sites either, since it only encourages them.

(Side note: I also see half a Google search result, and it's so frustrating these get cut off.  I have had some very intriguing things show up there before.)

3. This problem is not Google's fault, and they can't stop it, but they can take steps to mitigate its effect on their users.  Report the sites as malicious and ask if they can be removed from your blog's stats reports.  They were able to shut down vampirestats somehow, so they should be able to stop ZRus.

Short story is, ZRus.org is a reverse-traffic scam site, they are not actually visiting your blog, you should not give them the satisfication of ever clicking on them, and they may infect your computer with malware.  Further, some companies (perhaps unknowingly) hire traffic campaigns that end up using the same reverse-traffic scam to generate webviews for obscure commercial sites, so be sure to verify any new pages you see in your traffic results before ever clicking them.

A good rule of thumb may be -- just don't click links in your stats page, and go to the source from a search engine instead if you want to see why you're linked.

No comments: