From answering beginner questions like ‘What is SEO spam?’ to breaking down the spammers’ code and exactly how they hide their injections in compromised websites, we have written regularly about spam at Sucuri.
If you’ve ever operated a WordPress website you will have certainly seen, at the very least, a litany of spam comments posted on your comments section. Typically what first comes to mind are links to spam sites informing you about cut-price pharmaceuticals that could improve your love life.
Over the years, however, spam has been gradually shifting away from these types of pharmaceutical products to the point that they are no longer as common. What we see most frequently instead is something else entirely: Essay writing spam.
What is Essay Spam?
Essay spam is easily one of the most prevalent types of spam that we see littering the web. Essentially, websites are hacked and (mis)used to post links to essay writing services. These services are aimed at high school, college and university students who are unwilling to do their homework themselves or are unsure if they can create a good enough essay and would instead prefer to hire someone else to do it for them. There are also many services tailored to help students cheat on exams. The number of websites offering such services is huge and likely speaks to the overall prevalence of academic dishonesty, plagiarism and high costs for things like textbooks and school supplies.
How Does the Hack Work?
Essay spam comes in all sorts of different flavours: It can be delivered through links injected into the database or theme and plugin files that have been modified to display hidden links. Overwhelmingly, though, the most common hack that we see takes the form of simple WordPress posts. The hack is very basic: The attackers brute force their way into the wp-admin administrator panel of a website and use the hacked admin account to post bogus posts/articles or edit the theme/plugin files. The articles themselves tend to be algorithmically written and contain some humorous grammatical errors:
Some spam using display = ‘none’ to hide from plain sight, pointing to a hacked site
The irony that these posts are clearly generated by a poorly-written algorithm doesn’t strike much confidence in the quality of their end product, but I digress.
Evading Detection
Spammers use a variety of different ways to conceal their payload. Here’s an example of using overflow: hidden to prevent it from displaying outwardly on the website:
This example appears to show as unclickable text:
Other injections prefer to automatically redirect the visitor to the spam sites:
But, most frequently, we see the presence of many thousands of spam posts added via the compromised wp-admin dashboard:
The posts are automatically generated and posted by spam bots on a periodic basis. If left unchecked long enough you could find yourself with many thousands of spam posts littering your blog and quite a large clean-up job to carry out by the time it is discovered.
Origins of Essay Spam
Our first blog article on essay spam titled “Not Just Pills or Payday Loans, It’s Essay SEO SPAM!” was posted back in 2014 and our first SiteCheck signature to detect it was written roughly around that time. What exactly changed to spur the spammers to start changing gears away from pharma and towards essay writing? It was a little-known behind-the-scenes change in how pharma companies reacted to knock-off / bootlegged pharmaceutical products peddled on the black market.
Buying pharma products off of these bootleg websites is a game of Russian roulette. Typically the spammers source their wares from generic manufacturing facilities the world over, sometimes exactly the same facilities as the legitimate pharma companies. Given the nature of the black market and the total lack of oversight, however, they have been well documented to sometimes be cut with toxic and occasionally lethal substances. There is really no way to tell if what you are getting is legitimate or not.
However, since often-times the pharma products obtained from these websites are legitimate, generic substances, those combating the overwhelming prevalence of spam online initially did not receive any help whatsoever from the pharmaceutical companies. Not wanting to shed light on this alternative source for cheap pharmaceuticals that undermined their prices, big pharma turned a blind eye. Brian Krebs goes into great detail about this topic in his excellent book “Spam Nation” which I’d highly recommend to anybody who wants to know more about the economics of spam and malware.
Facing dauntingly high prices for drugs at home and sometimes lacking health insurance entirely, Americans and other Western consumers increasingly turned to these alternative sources for any and all pharma products that they were otherwise facing difficulty purchasing above the counter:
Not unlike other black markets, these alternative/foreign pharma companies would provide customer support and often bend over backwards for their clients in order to avoid credit card charge-backs at any cost. Like any other business, if your overall charge-back rate reaches a certain point you will quickly find yourself blacklisted by the major credit card companies and unable to process transactions.
Hell Hath No Fury Like a Trademark Infringement Scorned
As Krebs goes on to detail in his book, those combating the spammers and knockoff drug websites soon began to realise that they were fighting a losing battle and decided to change their strategy. Clearly they weren’t able to get the pharma companies on their side for selling generic drugs, but what about copyright infringement?
Terms like Viagra and Cialis are trademark terms that the bootleg pharma companies were using to market and sell their wares through spam emails that they would blast out to as many email addresses as they could get their hands on. The drug manufacturers, when swayed to take action on copyright infringement instead, quickly changed their tune and helped intervene to prevent the spammers from using these trademarked terms. Sure enough, the spammers instead were forced to start using generic terms like sildenafil and tadalafil but these are not exactly household names. It also became increasingly difficult for them to market and sell their drugs and process transactions online via credit card since the pharma companies had a word with Visa, Mastercard and the like with regards to the spammers’ blatant copyright infringement.
The spammers gradually started to shift their focus to other types of knockoff products and services that they could peddle without invoking the ire of powerful multinational corporations. Thus, enter essay spam.
Other Types of Spam
In addition to essay spam there are a few other common products and services that we commonly see in these spam posts. Other products and services that we commonly see are:
- Knockoff sports jerseys
- Escort services and “mail order brides”
- Cell phone spyware (for jealous partners or overprotective parents)
- Knockoff designer sunglasses
- Software programs like photo editors
- Online casinos / slot machines
- Medical marijuana
Although some of these items may infringe copyright, most of them do not, and the companies affected by such trademark infringement are not nearly as powerful as the mighty pharma companies. The common presence of “mail order bride” services does obviously warrant concern, particularly considering the high prevalence of human trafficking related to crime syndicates.
I have also personally seen spam pushing links to cat food and aquaponics, although those were both one-offs and not exactly common!
Preventing Essay Spam
As we’ve detailed on this blog before, the best way – by far – to prevent such a hack from occurring on your website is to lock down your wp-admin panel. I recently wrote an article on an overview of basic WordPress hardening that details some of the different ways that website owners can employ some basic hardening and lock-down measures on their WordPress environments.
Website owners can also opt to employ our website firewall to protect their sites from attack as well as easily employ hardening measures for their environments.
Samuel Odendaal
Puja Srivastava
Denis Sinegubko
Rianna MacLeod
Eli Lopez
Peter Kankowski
John Castro
Tony Perez
Ben Martin