Today we are not going to explore malware or any other overtly malicious traffic. Instead this post is a warning about dishonest marketing tactics used by services claiming to improve your website traffic or Search Engine Optimization (SEO).

We recently received a report from one our clients claiming that their website was experiencing a Distributed Denial of Service (DDoS) attack. Our Website Firewall offers DDoS protection capable of mitigating very large-scale attacks and it is rare that we need to step in to help mitigate. After a quick look, it was clear that no DDoS attack was occurring. As I suspected the site was being fully protected by our Website Firewall and there was no malicious traffic to be found. However, I did notice some strange traffic patterns that piqued my interest, so I felt it was worth investigating the issue further.

Google Analytics Traffic Spike

Our client noticed some alarming changes in their Google Analytics reports and thought it was a DDoS attack. The website traffic had dramatically increased. This might sound like a good thing to some, however it was clear that this traffic wasn’t normal at all. Our own statistics from the Website Firewall indicated that traffic had sharply increased, but the additional traffic contained no malicious requests and the geo-location did not seem like a typical DDoS attack.

What really stood out was that the increase in traffic had occurred almost overnight, like someone had flipped a switch. Furthermore the increased traffic had been very consistent and lasted for around 3 weeks before peaking. This is quite different from standard DDoS attacks where the duration is only a few days.

Audience > Networks > Service Providers

We asked our client for access to their Google Analytics account so that we could leverage this functionality for our investigation. Google Analytics is a very powerful tool that allows webmasters to easily visualize their site visits and explore traffic patterns that emerge.

I started by comparing the Network Service Providers that requests were coming from, before and after the traffic increase. This comparison showed around 75 new networks that were recently sending hundreds of requests to the website per day, yet had never sent requests to the website before. These requests also matched the increase in total site visits seen in the CloudProxy statistics. With this comparison we were instantly able to isolate the networks this new traffic was coming from and see what exactly what this traffic was doing.

Beautiful Fake Traffic

Looking at the traffic statistics from only these new networks, the behavior was just a little too ‘perfect’ to be normal users visiting the site:


When included in the total traffic stats, this traffic would blend right in and just look like an increase in visitors; however, when viewed in isolation, the traffic from these new networks definitely looked suspect. The new traffic always had a session length of 3:40 – 4:00 minutes, viewed on average 4.2 pages per session and had a 50% bounce rate.

However the real giveaway was that 100% of these sessions were new, 100% were direct traffic and nearly all of them started in a URL other than the home page. At this point it became pretty clear that the traffic was being generated automatically.

As I mentioned at the start of this blog post, none of the requests sent from these new networks were malicious. There were no POST requests, no encoded characters, no sensitive files being accessed and the rate that the requests were sent clearly were not a DDoS attempt. So why was this traffic being generated?

Spammy Service Providers

Luckily many of the names of the Network Service Providers in Google Analytics provided some clues.

The websites of two 'different' networks the traffic was coming from.

The websites of two ‘different’ networks the traffic was coming from.

Along with various cheap VPS providers, a number of online marketing and blackhat SEO companies were listed as the networks the new traffic was coming from. At this point it was easy to put two and two together. Our client had possibly hired someone to increase their site traffic and got more (or less) than they bargained for. It’s also possible a malicious competitor paid someone to mess with their traffic. This kind of thing can happen with link farms, another staple of blackhat SEO. While there certainly was a dramatic increase in traffic to their site, it was all completely worthless and only served to muck up their Google Analytics statistics.

Avoid SEO Snake Oil

$5 Traffic Gigs for sale on Fiverr

$5 Traffic Gigs for sale on Fiverr

Unfortunately in the world of SEO there is no shortage of snake oil salesmen. These ‘SEO’ companies promise unrealistically fast results and rely on their clients lack of expertise to make their money. Real SEO, much like online security, is a process, not just a switch that can be instantly flipped on and off.

One of the most simple and important steps webmasters can take to improve their site SEO is to make sure their site can be easily indexed. It’s also important to ensure the title and meta descriptions of your pages match the topics of your website. Developing a community and spreading the word about your site is also important because the more reputable links there are pointing to your site, the higher your search engine ranking will be.

If using WordPress or Drupal, I personally recommend using the great Yoast SEO plugin. In addition to their free plugin, you should definitely consider engage with the team at Yoast if you’re looking for a review of your website.


There are certainly legitimate SEO companies around that offer a valuable service, but we recommend taking the time to do a little research before parting with your hard-earned money. A good rule of thumb is that any ‘SEO company’ that contacts you for the first time using email should be avoided, these are usually just a slightly more advanced form of spam.

You should understand that improving your site SEO rankings with Search Engines takes time, so if any SEO company promises instant results, know they are lying. Blackhat SEO is never worth the risk. Being able to meet with the SEO company face-to-face and have them explain exactly how they intend improve your site rankings is a big advantage that should not be underestimated.

Finally, it is also worth taking the time to read some SEO tutorials yourself to get a better understanding of what good SEO entails. Like all things, the more educated you are about a topic, the easier it is to find the best deal available and avoid common pitfalls. You can start with Google’s SEO Guide and follow the Google Webmasters blog for official SEO insights.

Have you ever hired an SEO company that promised instant results? Did they deliver on that promise? If so, did you verify the results by diving into the data? Did the data look a little too perfect?


Source: Keir Desailly for SUCURI