The more I study the patterns employed by this bot army, the more interesting patterns emerge, here’s what I know so far about the Samara Oblast hacker –
- The actual person may not even be from Russia, since I keep getting traffic from different places in Russia. It could be that Russia is just a proxy location, the perpetrator might as well be sitting in the United States sending this spammy traffic
- The person does not like Google, or at least Google Analytics. I’d have to guess that this person is deeply concerned about privacy of the web and therefore is messing up the data in Google Analytics to such an extent that it becomes riddled with spammy traffic.
- The person is somehow hooked into an underground ad network, because there are specific products being promoted. Donald Trump, o-0-8-o-o.com domain, some Vitaly plug-in for Chrome. It could be that this Vitaly plug-in itself is a malware-sque method of infecting multiple browsers. Using which this referral spam traffic is being created. I haven’t sufficiently studied the plug-in so far, so I cannot make any concrete statements on that front. It’s a guess, that’s it.
- There was an article about this person being a Trump supporter. I guess it spawned pretty much the same time when the Trump string started showing up on Google Analytics. I guess, the string also makes for a solid link bait :-)
- It’s a cute way of grabbing attention, and it can be done by anyone who wants to target webmasters. However, if you check your server logs, you will see a much more darker pattern being utilized. I am not so sure if it’s the same source or not, however, there are massive brute forcing attempts closely around the same time as these bot visits.
tl;dr – Vitaly, if you indeed are the Samara Oblast hacker, stop these bots please.