I have viewed two effected GA accounts, both were USA based, and both had banners on their homepages. The IE-direct hompeage traffic spiked on same day:
Friday 18th Feb 2-3pm - site1
Friday 18th Feb 9-10pm - site2
Note: GA default time setting zone may be different, so I am unable to correlate if started at the exactly same time.
I have updated the GA Custom report to show this traffic (and remove the screen 1024*768 resolution filter)...
*
GA custom report: IE6-9 on Windows - New Visits only - Landing on Homepage
https://www.google.com/analytics/web/permalink?type=custom_report&uid=2_CnuhWvT5WWP88KRkupvgI have read that the possible
intent of this Botnet is to either inflate CPM`s for publishing websites, or harvest onsite
emails for captcha boxes that require cookies. However, the email capture would require a crawl of the whole website - thus this reason seems
less feasible. Most of the traffic is from USA and language=us-en this supports that idea that it is
CPM intent (as non-USA traffic is generally filtered out by the banner networks).
If anyone is able to contact one of these effected IE users (e.g. via a popup), it would be really interesting to run the
HiJackThis diagnostic tool, and then ask the user to post the report-output. The report should highlight any IE plugin or malware etc.
http://www.trendmicro.com/ftp/products/hijackthis/HiJackThis.msiAlso, looking for mouse movements, or human behaviours as a means of filtering-out this bot traffic would be useful, but obviously GA out-of-box does not support this feature. Although a GA beta function for
visible screen size is active, but the link to the report is hidden (e.g to know if the IE screen is being run in stealth mode or in a very small frame). Read this post for details:
http://translate.google.com/translate?hl=en&sl=it&u=http://www.goanalytics.info/analytics-si-prepara-a-registrare-la-dimensione-della-finestra/Also plugins scripts for page-scroll and mouse are available here:
http://cutroni.com/blog/2012/02/21/advanced-content-tracking-with-google-analytics-part-1/http://code.google.com/apis/analytics/docs/tracking/eventTrackerWrappers.htmlInstalling ClickTale on the homepage, then playing back a session would lso be interesting to seen, as this records page scroll and mousemovements byy default:
www.clicktale.com--------------------------------
OFF-TOPIC Note to GA team (or Apple iOS team) - Please update the GA log parser to separate-out
"
Mozilla Compatible Agent (web)" from "
Mozilla Compatible Agent (mobile)".
"Mozilla Compatible Agent on
mobile" is
legitimate traffic from AppleWebKit from browsing within MobileApps.
"Mozilla Compatible Agent on
web" is generally
robots from SiteConfidence bot, YahooNews bot, or Ask.com bot.
Readme: Blog post about Browser=Mozilla Compatible Agent here:
http://stackoverflow.com/questions/6121849/customer-filter-for-google-analytics-mozilla-compatible-agent-iphoneExamples:
GOOD: "Mozilla Compatible Agent" on iPhoneMozilla/5.0+(iPhone;+U;+CPU+iPhone+OS+4_3_3+like+Mac+OS+X;+en-gb)+AppleWebKit/533.17.9+(KHTML,+like+Gecko)+Mobile/8J2
GOOD: "Safari" on iPhoneMozilla/5.0+(iPhone;+U;+CPU+iPhone+OS+4_3_1+like+Mac+OS+X;+en-us)+AppleWebKit/533.17.9+(KHTML,+like+Gecko)+Version/5.0.2+Mobile/8G4+Safari/6533.18.5
BAD: SiteCondence, Gomez and Ask.com on WebMozilla/5.0+(Windows; U; Windows NT 5.1; en-gb; SiteCon/8.8.14)
Mozilla/4.0+(compatible; GomezAgent1.0; MSIE 7.01; Windows NT 5.0)
Mozilla/5.0+(compatible; Ask Jeeves/Teoma)
*
GA Report BotCheck: Mozilla Compatible Agent (Mobile) vs Mozilla Compatible Agent (web)
https://www.google.com/analytics/web/permalink?type=custom_report&uid=Ben2yDftSZmil8gNxBY56A--------------------------------
Thanks
Phil.