Eric Bergman-Terrell's Blog

Spider Spins a Web of Deceit?
October 26, 2015

I've been noticing something strange in this website's logs. A high percent of the referer urls point to Russian gambling sites. Could it be that this website appeals to Russian-speaking, online gamblers? That doesn't seem very likely to me. I think this is a scam that works as follows:

  1. A spider targets low-traffic websites, with bogus referer urls pointing to gambling sites
  2. The webmaster looks at a report that shows a relatively large amount of traffic from the gambling sites
  3. The webmaster browses to the urls to investigate
  4. The webmaster starts gambling on the gambling sites

I wonder how often this scam gets to step #4? How could the gambling sites get enough revenue to justify the expense of the servers doing the spidering? Or are those servers just hijacked user machines in a botnet?

It's clear from my logs that this traffic is not coming from actual human web surfers:

[2015-10-24 15:43:02.406] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://********.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 15.092
[2015-10-24 15:43:02.426] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://www.*************.com/ Opera/9.00 (Windows NT 4.0; U; en) 200 13.100
[2015-10-24 15:43:02.543] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://*************.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 11.389
[2015-10-24 15:43:03.000] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://********.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 19.081
[2015-10-24 15:43:03.018] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://www.*************.com/ Opera/9.00 (Windows NT 4.0; U; en) 200 15.431
[2015-10-24 15:43:03.597] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://********.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 12.707
[2015-10-24 15:43:03.741] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://*************.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 42.790
[2015-10-24 15:43:04.182] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://www.*************.com/ Opera/9.00 (Windows NT 4.0; U; en) 200 14.877
[2015-10-24 15:43:05.332] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://*************.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 14.524

gamble
Stepping outside during a Colorado winter is enough of a gamble for me!

P.S. I am not misspelling the word "referrer". The HTTP referer header was originally misspelled, but it's now an international standard.

Keywords: Spiders, logging, scam, botnet, Russian gambling websites, referer urls

Reader Comments

Comment on this Blog Post

Recent Posts

TitleDate
Java Programming Tip: SWT Photo Frame ProgramOctober 31, 2016
Vault 3 (Desktop) Version 1.63 ReleasedSeptember 9, 2016
"Compliance with Court Orders Act of 2016"April 9, 2016
Disable "Visual Voicemail" on Android / T-MobileJanuary 17, 2016
IPv6 HumorDecember 10, 2015
Java Programming Tip: Specify the JVM time zoneDecember 7, 2015
Node.js / Express Programming Tip: Detect and Fix Memory LeaksOctober 27, 2015