Revenge of the Analytics Bots; Google Analytics Spam 2021

Over the past couple of days, we have seen an uplift in bot traffic across a number of our clients, so when we saw Marie Haynes tweeted about this

Heads up! If your analytics look too good to be true today, it's likely not because of a Google update. Many sites in our profile are seeing an attack of bot traffic Jan 31.

The spam site causing this promises you'll see more traffic in GA. 🤦‍♀️ pic.twitter.com/TkW3AlUHIy

— Marie Haynes (@Marie_Haynes) February 1, 2021

it was a great heads up, meaning what we spotted it in our own accounts was a wider issue than just one or two of our clients. We’ve investigated and it is referral spam but coming from a range of browser types and countries.

Bot traffic from spammers can be frustrating when it is polluting KPIs, so here’s how we dealt with it:

If you want to become data driven or data informed you will first need to be able to trust your data. With the way GA universal analytics works spamming is a feature rather than a bug, be aware of this so you can take measures. Arnout Hellemans (Analytics Consultant)

What is Google Analytics Spam?

It is relatively simple to insert fake data into Google Analytics. All you need is to push fake headers into the pages dom, and using this you can push fake messages into their analytics. This will also mess up site wide numbers such as bounce rate and conversion rate. This isn’t a new thing – it’s been around for a long time, hitting a high in 2014, but on a positive note it has been dropping since 2016.

“One of the big security and data integrity problems with Google Analytics (and with most JavaScript powered tracking solutions) is that people can easily insert any data they want, into any account they can find, without any special permissions, at scale. By their very nature, these systems are open APIs, designed to receive large volumes of varied, unauthenticated hits from myriad devices, locations, and systems. Oh, and once the spam’s in, it can be hard to detect and remove – that’s even assuming that you know to go looking for it.. Frankly, we’re all lucky that there’s not more widespread data abuse; there’s very little you can do to protect yourself from this kind of thing” Jono Alderson –

How do I find Spam in my Google Analytics account?

If you are reviewing your analytics data regularly, you will probably spot it either in referrals from odd places or unusual very high bounce rate traffic sources.

1. Look at overall website traffic for unusual spikes
2. Compare these spikes to the previous period to see which traffic sources have seen the greatest uplift
3. Look out for traffic sources similar to these examples
4. Filter them out at view level

The solution is quick to implement, but it will take some time to review all of your clients’ accounts to identify which ones have been hit by it.

Sadly it’s not always that easy. The problem is that this can reoccur with a different referral – the most infamous of this was ‘semalt’ which infected hundreds of accounts over a longer period. Interestingly it turns out that they had built a bot network by hijacking bots across the world – https://www.imperva.com/blog/semalt-botnet-spam/

This largely feels similar, which means we can’t just block a single IP address and we can’t just block one referrer. This, sadly, is something that Google ultimately needs to be able to fix. They need to make sure they can identify this at scale and clean up users accounts.

“It’s absolutely vital that you have accurate figures when you are reporting on traffic and conversions to your board each month. Bot traffic can skew these figures and have you thinking that your content and core pages are now picking up more traffic than they actually are, in turn conversion rates will be down and it’ll lead to confusion all round. It’s important to be able to identify and anomalies in traffic caused by bots early on so you can account for them in your reporting”
Luke Cope Head of Digital Strategy at Rise at Seven

Long term solutions

We can’t simply say this is someone else’s problem so our recommendations are:

• Create an unfiltered account, not to use for reporting but to make sure you get the complete picture if there are any filter issues
• On your main profile, enable the bot filtering at a view level in your Google Analytics accounts (this will help clean up some)
• Clean common bots like the one mentioned above
• Block countries that you definitely don’t want/get traffic from such as Russia and China with view level filter
• Create an additional filter that ONLY includes targeted countries (such as the UK or UK Plus US)
• Filter to only include the hostname(s) your analytics is installed on

We are still working on ideas for our clients, but some things we are keen to investigate further include this idea of using recaptcha information –

Of course, if you need help auditing your analytics account, reach out to us.We might be able to fit you in!