LeadsGO fraud with Google Analytics hits

Massive referral traffic spikes after spam attacks from leadsgo.io.

Not uncommon in recent years and still relevant today: you look at your Google Analytics web interface and see a massive increase in traffic on just one day of the month. On some days, your website traffic can be 200 to 400 times higher than your baseline. The reason: spam tactics and hit fraud from software marketers or lead agencies. Here is an example from LeadsGO.

The problem: leadsgo.io spam traffic

Here’s a textbook example: You look at your Google Analytics web interface and see an image like this:

LeadsGO session fraud

On August 20, instead of a maximum of 10 daily sessions, you suddenly see 400 sessions in the daily session chart. An increase of 400 percent. Your feeling: That can’t be right! On closer inspection, it becomes clear. The 400 additional sessions all come as referrals from the domain leadsgo.io. Suspicious!

And user acquisition is no different! (Users and sessions are measured differently).

LeadsGO user fraud

And at this point it’s clear: you’ve fallen victim to fraudulent traffic spam from a company (in this case LeadsGO) that doesn’t care in the slightest about the reliability of your web analytics data.

Why do providers like LeadsGO falsify your traffic statistics?

The interesting question now: Why should a company (that also wants to sell me something) artificially spam me with traffic? A legitimate question! The answer, in most cases, has two motives: Brand awareness and a sick form of sales psychology.

Brand awareness through traffic fraud

Marketers of such lead agencies know that there are nerds out there like us at THE BIG C Agency: We regularly check our Search Console performance and examine our Google Analytics reports almost daily. They shamelessly exploit this fact. The first thing you do when you discover a new traffic source is to see who is behind it. Either via Google search or by calling up the spam domain directly, you can see “which Otto has distributed 400+ web sessions here”.

Even if the result is sobering: At that moment, the person concerned learns of the existence of the brand (in this case leadsgo.io) for the first time. Accordingly, this traffic fraud generates brand awareness (even if it does not have a positive connotation).

The hit spam sales psychology

Even if “sales psychology” is a bit of a stretch here, such spammers also try to influence a potential customer. The sales promise of such lead agencies is often as follows:

“Imagine if you got 400 visitors to your website every day – how much money could you make? We can make that happen!”

Why Spam

This narrative should be familiar by now from cold emails and is not really tenable. But in an abstruse way, all the fake hits are also supposed to be a kind of product demo.

Not sufficient for a DDOS attack

Anyone who now thinks that this type of hit production is a kind of DDOS attack against their own company can relax. For one thing, the amount of traffic is not even enough to bring a home server from the 2000s to its knees. Secondly, it would be illogical to produce “visual” hits in a browser with referral during a DDOS attack and not directly contact the server with requests.

How do hit spammers generate so many hits on your website?

The challenge in producing hits that look real for Google Analytics lies in the following dimensions:

  1. The website must be loaded to such an extent that the Google Analytics script also loads.
  2. A consent gate often has to be overcome with “Accept”.
  3. After each call, the cache and cookies must be empty in order to be able to simulate new users and sessions (and possibly even be offered a new IP).
  4. The hits must have a certain time offset so that no server-side blocks occur or security components of the website or store take effect.

In general, there are several ways to accomplish this:

Browser automation: The easiest way is to write scripts or build no-code flows that cyclically execute a strict sequence such as open browser > Visit website > Click link > Wait for loading.

Bots and crawlers: Somewhat more automated scripts can also be written that generate fake HTTP requests with fake Refferer attributes directly to GA4 on a website.

Abuse of the measurement protocol: In some cases, fraudsters such as leadsgo.io can also address the GA4 measurement protocol (a kind of hit API) with the GA4 measurement ID of the person(s) affected and store the fake information including referrer there.

How can you as a company protect yourself from traffic fraud?

To stop seeing so much unexpected spam traffic in your Google Analytics reports, you can implement the following measures:

Server-side GA4 tracking: By redirecting the hits from your website to a server-side container, you can prevent the hits from being passed on to Google Analytics servers at server-side level. The easiest way to do this is via blocklists and blocking triggers.

Client-side blocking: If you have a clear idea of the spam domains (here: leadsgo.io), you can also configure blocking triggers when loading tags in the client-side container.

Securing the GA4 measurement protocol: The use of the measurement protocol can – like pretty much any API – be restricted. This means that external spammers can be excluded by setting up API keys that exclusively authorize the sending of hits.

Google Analytics bot traffic filtering: The option for bot traffic filtering can be activated in Google Analytics. This is not perfect (because it does not always recognize the latest spammers), but it is a good basic protection.

Tags