Looking Inside A Website Traffic Con

21 December 2022

– A Digital Marketing Scam using SparkTraffic to create fake Google Analytics data

To reach a wide and relevant audience is key for the success of any media outlet. Social media plays an important role to build up a media’s readership, but traditional newsletters are still used to reach those outside of the social media sphere. This report describes how we discovered that “New Born Media” a digital marketing advertiser from Kosovo used online service “SparkTraffic” to tamper with Google Analytics to simulate traffic from readers that did not exist.

Nacionale.com is Kosovan independent media that was launched in March 2022 by a team of highly experienced journalists. The news site quickly became one of the main news platforms in Kosovo. To widen their readership they were looking into different dissemination strategies and found an interesting Newsletter service offered by “New Born Media“, a local Digital Marketing agency. The Nacionale team met with Valdrin Rushiti the CEO of the company that offered their marketing service. The CEO explained that his agency had access to 170,000 verified email addresses that had given their consent to receive information from local businesses. To promote their articles Nacionale would provide a list of 10 top stories to their Email Marketing service three times a week and they would disseminate these links by mail to the 170,000 subscribers.

Email Marketing advertisement of New Born Media

New Born Media offered Nacionale a free trial to illustrate the impact of the service. The results were amazing! Google Analytics showed 30,000 new readers, and only 300 users (0,17%) unsubscribed from receiving future Newsletters from Nacionale.

The service was not cheap, it cost Nacionale as much as three full time reporters, but the opportunity to increase their readership was a priority. Nacionale signed up for the service, and each week three Newsletters were sent with 10 top stories in each of them.

The Nacionale team kept a close look at their Google Analytics data after each Newsletter. Although the results looked excellent, they had a feeling that this service was too good to be true.

“The waves of traffic were odd, but we were told that that it was intentional, not to send the email to all recipients at the same time so that Gmail would not filter them as spam” says Visar Arifaj, co-founder of Nacionale.

He continues “Another red flag was the ratio of new vs returning users. Almost all users that visited our site via the newsletter were new users and never returning users”. The math simply did not add up. If 30,000-40,000 new users visited their site after each Newsletter, the pool of recipients, 170,000 in total, would run out after 4-6 Newsletters.

Once the suspicion was raised, Visar and his team started to analyze the traffic pattern of the users from the Newsletter. They noticed a behavior that did not look human – all users clicked on each and one of the 10 links provided in the Newsletter. By now the Nacionale team was convinced that the traffic was fake, but they did not understand how it was possible.

Knowing Qurium’s passion for digital forensics, the Nacionale team traveled to Sweden to meet our team and to ask Qurium to look into the case and confirm if their concerns were justified.

Qurium is hosting Nacionale since September 2022, after being targeted by frequent DDoS attacks since the media was launched.

Finding the needle in the haystack

To confirm the suspicion of Nacionale, we started to compare the Google Analytics of Nacionale.com with the traffic logs of our hosting platform. We could quickly confirm that traffic that was reported in Nacionale.com’s Google Analytics account never had reached their hosting server. Thousands of web requests were reported in Google Analytics but just a few hits arrived to our monitoring system.

The next step in the investigation was to find out WHY the traffic never reached Qurium’s infrastructure and HOW the statistics in Analytics where created..

The web requests, that only reached Google Analytics and mysteriously vanished in cyberspace before reaching our servers, included a specific tag that could help us trace its origin. Each of the links included in the Newsletter included a so called UTM (Urchin Traffic Monitor) tag. UTM tags are variables attached to the end of a URL that are used to track requests coming from specific platforms. The tags are used to track how successful an advertising campaign is or how many readers that engage in a specific content when promoted in a third party platform.

As an attempt to figure out what was going on, we wrote a few custom scripts to track the tags “utm_source”, “utm_medium” and “utm_id” in our platform. As expected we could only see a small fraction of the requests that Google Analytics was reporting recorded in our systems.

We decided to look into the traffic that actually did hit our infrastructure. Why would some requests hit us, but the vast majority not? We searched for all IP addresses that had requested pages from Nacionale.com with a UTM tag during the last month. We discovered that the very first request reaching out to fetch these specific pages was a computer with:

IP address: 66.175.210[.]166
Browser: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

We had found the needle.

The mysterious .166

We decided to closely monitor the IP address .166 trying to find a specific pattern that could help us to discover what was running in that machine. Every time the NewsLetter was sent, 66.175.210[.]166 was retrieving each and one of the 10 articles promoted on the website.

IP address .166 periodically reaching the website

Discovering what was running on 66.175.210[.]166 was not hard since the IP address was redirecting to the hidden backend of the website “SparkTraffic”, a so called “Website Traffic Generator”. SparkTraffic generates traffic that looks like it is coming from real users, and their clients buy it to improve their website traffic metrics, such as increased traffic volume.

The IP address 66.175.210[.]166 corresponds to the backend of SparkTraffic.

We decided to investigate SparkTraffic and their so called “promotion of traffic business” and found several other domain names associated to the same company:

trafficbot{.}uk (2014-2015)
trafficbotphp{.}com
alexaspark{.}com
verytraffic{.}com
visitorboost{.}com
organictrafficbot{.}com
linkcollider[.}com
smmshop{.}com
upseo{.}com

SparkTraffic and all the above domain names are associated to a Hungarian man called Dimitrij Alekszandrovics Sztupin that operates a number of “traffic generating” services, Social Media Marketing services that sell fake likes and followers under a number of shell companies. More information about Sztupin’s fraudulent businesses can be found in Annex 1.

UpSEO – Just another SEO service from Spark Traffic

Andre (Spark Traffic’s Support) promoting their social media services smmshop.com}

How to fool Google Analytics

Once we had fully confirmed that fake traffic was sent to Google Analytics to boost the traffic volume, we decided to investigate how Spark Traffic was able to generate traffic inside Google Analytics without sending traffic to the real websites.

We analyzed Google Analytics’ documentation for clues and we learned how to build our own fake requests to Google Analytics and create some nice traffic statistics. After a few tests and tweaks we got Google Analytics recording our traffic without any real traffic visiting to the website.

We used the Google Analytics API and specified a request with target website (dh), hit type (t) and a sender (dr). With other words, a user from http://spongebob.lol visited the site https://www.victim.website.

https://www.google-analytics.com/collect?v=1&tid=UA-xxxxxx-1&cid=666&t=pageview&dh=https%3A%2F%2Fwww.victim.website&dp=%2F&dt=Victim&aip=1&dr=http%3A%2F%2Fspark.my.traffic

v = 1                            // Protocol Version
tid = UA-xxxxxx-1                // Tracking-ID
cid = 666                        // Client ID
t = pageview                     // Hit Type
dh = https://www.victim.website
dp = /                           // Document Base
dt = Victim                      // Document Title
aip = 1                          // Anonymize IP
dr = http://spongebob.lol

Fake requests from Referral spongebob.lol and whitehouse.gov which appeared as page views in Google Analytics.

Now we understood what SparkTraffic meant by “Working with Google Analytics”.

How SparkTraffic generates fake traffic

SparkTraffic sells traffic and promotion of content. Each of these “promotion services” is called a “campaign”. Once a campaign is created inside SparkTraffic, the platform will once fetch all the links from the victim website that need to be “promoted”. That is exactly what IP address 66.175.210[.]166 is doing.

Once SparkTraffic has visited the pages once and learned the Google Analytics Tracking ID, it will start to spoof queries to Google Analytics to create fake traffic.

In order to fake the location of the queries, SparkTraffic is likely making use of (residential) proxies.

During the course of a few days, Qurium carefully monitored the real time traffic of the Google Analytics account of Nacionale.com. While we could not detect any of this “real time traffic” in our infrastructure, we could see in real-time how SparkTraffic was spoofing the Analytics requests in periodical bursts and waves. The discrete vertical steps in the following graph below shows how hits are created in batches. Traffic generated from real users do not display similar patterns.

Fake Traffic in Analytics looks like discrete steps in the Pageviews-graph (bursts)

When looking into the geographical distribution of the fake traffic, we could see that 100% of the fake analytics traffic was originated in Pristina (Kosovo)

100% Spoofed Analytics traffic from Kosovo.

Spark Traffic hidden backend retrieves a copy of each of the articles of the Newsletter before starts to spoof traffic in Google Analytics.

“Spoofed Analytics” is what Spark Traffic sell as “Guaranteed Traffic”

The final attribution test

The 9th of November, we performed a final round of tests to fully link Spark Traffic to the spoofed Analytics traffic. We decided to serve a different set of “Page Titles” and HTTP error codes to 66.175.210[.]166 that to the rest of the website visitors. If 66.175.210[.]166 was directly connected with the spoofing of Google Analytics’ traffic we could track our bogus “Page Title” and confirm if 66.175.210[.]166 has behind the traffic scam. Just within minutes after the visit of Spark Traffic, Google Analytics started to show Active Users reporting our specially crafted “Page Titles” that we just reported to Spark Traffic’s hidden server.

The 10 articles of the newsletter with our “crafted” Page Titles and HTTP error codes

Page Tittle includes the error codes 500 and 429 that we sent to Spark Traffic

Fake traffic had the same Desktop-Mobile ratio (66% – 33%)

All visitors were coming from single location

Conclusions

The so called “Newsletter service” of New Born Media did not have any valid subscribers, it was all a traffic scam. Instead, New Born Media used a service from SparkTraffic to generate false Google Analytics “traffic” without having to generate the actual traffic.

New Born Media did not only charge Nacionale a high price for the “service”, they also fooled them to believe that their audience was larger than it was.

We contacted New Born Media, their CEO Valdrin Rushiti and several members of their staff for feedback about our findings. At the time of this writing no concrete response has been received.

We also reached out Spark Traffic to seek clarity about their techniques to increase Google Analytics results. No concrete response has been received.

________

Update 22-12-2022

In the past two days we have exchanged a few mails with Valdrin Rushiti and Ornela Jauri that according to the company registry of Kosovo they act as “Director” and “Authorized Representative” of New Born Media LLC respectively.

Valdrin and Ornela has refused to address our three main questions:

Do you confirm the use of Spark Traffic as part of the techniques used to generate traffic and promote the content of your clients?
Can you confirm the use of residential proxies as part of the process of spoofing traffic in Google Analytics?
To what degree are you aware of the techniques used by Spark Traffic to increase traffic in the websites?

Annex 1: Dimitrij Alekszandrovics Sztupin

Dimitrij Alekszandrovics Sztupin is a Hungarian “business man” most likely located in Barcelona, Spain.

Nationality: Hungarian
Birth date: 28 July 1985
Email: dimitrisztupin @ gmail
Phone: +34 603860842

Sztupin runs a number of fraudulent companies, many of them in the field of traffic generation, but also Social Media Marketing (Selling Followers and Likes).

TrafficBot (trafficbot{.}uk 2014-2015)
TrafficBotPHP (trafficbotphp{.}com)
AlexaSpark (alexaspark{.}com )
VeryTraffic (verytraffic{.}com )
VisitorBoost (visitorboost{.}com)
OrganicTrafficBot (organictrafficbot{.}com)
LinkCollider (linkcollider[.}com)
SMMShop (smmshop{.}com)
UPSEO (upseo{.}com) – Backlinks

RiskIQ allowed us to link several of their websites as they shared the same *Tawk* *identifier in the support chat service*

Sztupin also operates several trademarks and a number of ghost companies (so called “shell corporations”) across Europe:

VocatoSL (Spain)
European Advanced Security Private Limited (India/neerajbhagat.com)
Azimuth Apps Ltd (Malta)
Pink Korps Limited (Malta)
UAB Senmira (Lithuania)
Activentures OU (Estonia)
Ecole Des Photographes (France)

A few examples of Ghost companies run by Sztupin include:

Vocatos (vocatosl{.}com) – bread and bakery in Spain
ChatMe (chat{.)me – chat application
TxtMe (txt{.}me) – chat application
Azimuth Software (azimuth{.}app, azmt{.}net) – recruitment of web developers

The curious reader might enjoy to have a look at the website of Azimuth Software, a company claiming to recruit and reallocate web developers to Malta. The website is a single html page with 17 stock photos.

The content of Azumuth.app website – another ghost company of Sztupin.

How is Spark Traffic getting paid?

When reviewing the multiple websites run by Mr. Sztupin as “Visitor Boost” (a website that claims to work with “Google Analytics”) we found that CGbilling/CommerceGate is used as a payment platform.

All services promoted by Spark Traffic and related services use CommerceGate a payment solution based in Barcelona (Spain).

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.