Published on
Zach Jackson
Last updated on

Recently, there has been a surge in a new ghost spam viral exploit affecting websites worldwide, particularly in Google Analytics 4. We want to bring this to your attention to ensure the safety and security of your online presence.

Summary in brief

  • A ghost spam exploit is targeting websites globally.
  • Spam referral traffic can lead to extensive phishing attempts.
  • Avoid checking sources of suspiciously high referral traffic.
  • Google is attempting to block the exploit, but vigilance is necessary as IPs and source sites are changing rapidly.
  • Stay informed and monitor GA4 accounts for any unusual activity.

What's happening?

This exploit, known generally as ghost spam, is hijacking GA4 through what is thought to be an exploit of Google Tag Manager (GTM) tags, resulting in spam referral traffic in reports. How exactly this is happening is not yet known.

The exploit is presumed to have originated in Russia, with the spam referral traffic initially arriving from the news.grets.store site in Poland. It has since spread to other source sites, such as static.sender and rida.tokyo.

Why it's dangerous

Missing data in Google Analytics 4 is a common occurrence. Finding data that you didn't expect in your reports? Less so. But this is precisely what those targeted by the spam are discovering.

Appearing as a sudden spike in referral traffic in GA4, the ghost spam is designed to grab attention and encourage users to click through to see where all the referral traffic is coming from.

Clicking on the links leading to the referral sites can trigger pop-ups asking for notification acceptance. Those who accept have reported receiving an influx of spam emails and phishing attempts for financial details.

Confirming details with the spam sources can lead to exploitation of emails, scam phone calls, and possible website compromise.

With the Google Consent Mode 2 deadline narrowly out of the way - and other deadlines, such as the EEA 2025, looming - this is the last thing website owners will want to see. But, once again, you need to be vigilant about your online presence.

What should you do?

It's crucial not to click on these links or visit the referring sites when reviewing website performance in Google Analytics 4. Google has been attempting to block them, but the IPs are changing daily, and the number of source sites is increasing rapidly.

Website owners should remain cautious of increased communication from unknown sources.

Contact TDMP for assistance

We'll be closely monitoring GA4 accounts to track the spread of this exploit. Please don’t hesitate to contact us if you have any concerns, require further assistance, or would like to discuss additional services.