Eric Bergman-Terrell's Blog

Spider Spins a Web of Deceit?
October 26, 2015

I've been noticing something strange in this website's logs. A high percent of the referer urls point to Russian gambling sites. Could it be that this website appeals to Russian-speaking, online gamblers? That doesn't seem very likely to me. I think this is a scam that works as follows:

  1. A spider targets low-traffic websites, with bogus referer urls pointing to gambling sites
  2. The webmaster looks at a report that shows a relatively large amount of traffic from the gambling sites
  3. The webmaster browses to the urls to investigate
  4. The webmaster starts gambling on the gambling sites

I wonder how often this scam gets to step #4? How could the gambling sites get enough revenue to justify the expense of the servers doing the spidering? Or are those servers just hijacked user machines in a botnet?

It's clear from my logs that this traffic is not coming from actual human web surfers:

[2015-10-24 15:43:02.406] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://********.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 15.092
[2015-10-24 15:43:02.426] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://www.*************.com/ Opera/9.00 (Windows NT 4.0; U; en) 200 13.100
[2015-10-24 15:43:02.543] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://*************.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 11.389
[2015-10-24 15:43:03.000] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://********.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 19.081
[2015-10-24 15:43:03.018] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://www.*************.com/ Opera/9.00 (Windows NT 4.0; U; en) 200 15.431
[2015-10-24 15:43:03.597] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://********.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 12.707
[2015-10-24 15:43:03.741] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://*************.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 42.790
[2015-10-24 15:43:04.182] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://www.*************.com/ Opera/9.00 (Windows NT 4.0; U; en) 200 14.877
[2015-10-24 15:43:05.332] [DEBUG] dev - ***.***.***.*** GET 1.1 /blog/203/ http://*************.ru/ Opera/9.00 (Windows NT 4.0; U; en) 200 14.524

gamble
Stepping outside during a Colorado winter is enough of a gamble for me!

P.S. I am not misspelling the word "referrer". The HTTP referer header was originally misspelled, but it's now an international standard.

Keywords: Spiders, logging, scam, botnet, Russian gambling websites, referer urls

Reader Comments

Comment on this Blog Post

Recent Posts

TitleDate
How to decompile Java code with JetBrains IntelliJ IDEA (2018.2.3, Windows 10)October 5, 2018
Java Programming Tip: SWT Photo Frame ProgramOctober 31, 2016
Vault 3 (Desktop) Version 1.63 ReleasedSeptember 9, 2016
"Compliance with Court Orders Act of 2016"April 9, 2016
Disable "Visual Voicemail" on Android / T-MobileJanuary 17, 2016
IPv6 HumorDecember 10, 2015
Java Programming Tip: Specify the JVM time zoneDecember 7, 2015