It looks like refer­rer spam­ming is back and it’s more soph­ist­ic­ated than before.

I nor­mally get a noti­fic­a­tion email from my stats pack­age whenever I have had 100 vis­it­ors to the web­site. Note that’s 100 real vis­it­ors using browsers it doesn’t count crawl­ers or bots. I nor­mally get two or three a day, I’m run­ning at about 270 unique vis­it­ors per day.
I noticed yes­ter­day that I was get­ting them about every three hours. That’s more than twice the nor­mal rate and I don’t recall any­thing hap­pen­ing on the site to jus­tify it. I was imme­di­ately sus­pi­cious and invest­ig­ated.
On look­ing at my stats pack­age (I use Power Phlog­ger) I noticed lots and lots of hits on my home page all with the same ref­erer (an unsa­voury site to which I shall not link!).
“Oh!” says I (to myself), they are at it again. “…Wait a minute! They never showed up here before!” And indeed they didn’t. You see I have my stats set up so that you need a browser with JavaS­cript enabled to log an entry in my stats. That way I get a count of real people and not bots, crawl­ers, and other auto­mated vis­it­ors.
My next thought then, was that someone had come up with a ref­erer spam­ming script that actu­ally went so far as to decode the page and execute the JavaS­cript (load­ing another JavaS­cript file in the pro­cess). Hmmm… not likely really.
A closer look showed me that each visit was from a dif­fer­ent IP address too. Again, I know that you can spoof IP addresses and even do it with auto­ma­tion, but then I noticed that some ‘vis­it­ors’ had vis­ited the page more than once. In order for Power Phlog­ger to record that, you have to have accep­ted the cookie it sent and returned it with sub­sequent requests. I also saw that the user agent strings were spread across sev­eral dif­fer­ent ver­sions of Inter­net Explorer and on sev­eral dif­fer­ent ver­sion of Win­dows. With dif­fer­ent screen res­ol­u­tions! Finally I saw that sev­eral vis­its seem to have come via legit­im­ate ISP proxy serv­ers.
No-one would write a ref­erer spam­ming script that soph­ist­ic­ated would they?
The only con­clu­sion I can draw is that this refer­ral spam­ming is being done via tro­jan applic­a­tions (or auto­mated remote con­trol), and is actu­ally con­trolling Inter­net Explorer on the vic­tims’ machines.
The implic­a­tions for this are huge! Refer­ral spam­ming is minor in com­par­ison to what could be done.
Massive denial of ser­vice attacks that are indis­tin­guish­able from legit­im­ate vis­it­ors? How about all those saved pass­words on all those machines. If you have that much con­trol of the vic­tims machine then why not try to visit every single bank­ing site you can think of and try to login. You may as well start with the favour­ites folder, the vic­tims bank is prob­ably already in there. Ima­gine someone with Pass­port con­figured! I could think of lots and lots more.

The mind boggles at the insec­ur­ity of Windows!