Getting on Top of the “Payday Loans” Site SEO Hacks

 

It’s not very often that SEO-related affairs hit the major news outlets here in the UK (or anywhere else for that matter), so when it does chances are that it’s something worth taking note of, right? In this case, yes! Sky News (I know, hardly the most upstanding news portal – great at driving ad revenue though!) has recently reported a marked rise in the number of websites being hacked in order to help Payday Loans companies rank highly within Google. Whilst it’s not unusual to see webmasters try their hand at “black hat” SEO tactics and sink their websites altogether, what makes this whole thing the more concerning is that it could potentially affect you without your knowledge!

The original news story on Sky.com was sketchy in the technical details, and the modus operandi of the particular hackers in question isn’t exactly a new one (the most recent activity was spotted by Tim Capper on G+ a couple of weeks ago). To put it simply, the hackers upload a virus to a website or server and then inject their own content, targeting the keywords they want to rank highly for, e.g. “payday loans”, and then create links to their own websites. In the first instance this provides a high quality link from the target site, but in addition the hackers then direct a high number of low quality links to those hacked pages - something that can be very damaging to your site after Google’s Panda/Penguin Updates.

When you multiply this process by tens, hundreds or thousands of times the sum total of their efforts is page #1 visibility in Google for the hackers’ chosen keyword with little effort on their part. Before everyone starts to panic, Google is quite capable of detecting these tactics and removing these Payday Loans sites that are responsible. However, the mild worry here is the fact that these sites still hold the coveted top-spot for long enough to make their money before getting penalised and disappearing again.

Like most “black hat” tactics, this method will exist as there’s a way to make money out of it, and some websites will get caught in the crossfire. Until Google moves to combat this particular brand of linking in a more decisive fashion, there are some steps you can take to minimise and monitor any impact on your own rankings if you find yourself a victim of this!

Secure Your Website Against Hacking Attempts

This goes without saying, but the real first step in protecting yourself against having your site hacked or hijacked is by making sure it’s secure in the first place. This can mean different things for different people depending on the type of content management system you work on and other infrastructural factors.

If you’re running your website on an open source system like WordPress or Drupal, then there are some fairly widely known security issues that are fairly easily fixed, but require some technical know-how to do so. The best step is to contact your developer or the makers of the CMS itself and enquire as to the best way to secure it against malicious hacking - for example, WordPress support provides some excellent resources.

Regularly check your backlinks

For most non-SEOs checking backlinks won’t be on your list of priorities, but it is one of the best ways of keeping an eye on what is being directed at your site. There are many great tools for checking the kinds of links to your site such as AhrefsMajestic SEO and Open Site Explorer, however, most come with a price tag which will be too hefty for most. The free (but less effective option) is setting up Google Webmaster Tools - something you should do ASAP - and using the data it provides about your website.

  1. Majestic SEO

    You can create free reports for your own website which can give you the anchor text information you need - Majestic has one of the freshest indexes and is most probably the easiest to use. For free access you will have to login and verify ownership by uploading a file via FTP - something your developer can help with if you’re unsure how!

  2. Ahrefs

    We run a number of different pieces of software here at High Position and for me this is my pick, its has some of the freshest data and has some other features for expert use too! This is still very easy to use though, just enter in your URL and click search and you’ll be given all the vital linking statistics for your site. From here navigate to “anchors” and you’ll see the list from highest count to lowest. If there’s evidence of text that doesn’t make sense or shouldn’t be there, you may have an issue.

  3. Google Webmaster Tools

    This will provide you with lists of the newest links to your site and whilst this doesn’t give a lot of data, if you’re willing to check a few stranger looking domains manually it could well highlight any issues.

Conduct regular audits of your website

This is very important because most of these hacking attempts have added completely new and unrelated sections to your website. Some of the more conspicuous hacking attempts may just drop new pages onto your website or add new sections entirely, these are the easiest to spot and the following tools will help you find them easier:

  1. Xenu’s Link Sleuth & SCreaming Frog

    Xenu is a free “spider” which crawls all of the pages of your website and can quickly give you an idea of whether there are any pages on your site that aren’t supposed to be there. You just enter in your URL and it crawls (looks at) all the pages and gives information such as page title, its meta description and more.

  2. Screaming Frog

    Screaming Frog is another website crawler, similar to Xenu - but not free - this will do much the same thing, however, the interface is more user-friendly and easier to drill down into the data.

The most sophisticated hacking attempts will ultimately be much harder to spot - sometimes they’re not visible to the naked eye or anyone else but Google! In these situations spotting the damage done is tough but there are ways of identifying issues as they arise.

  1. Google Webmaster Tools

    Check the indexed pages count in GWT, if you see a large spike in Google’s index and you haven’t added to or altered your website significantly, this may be a cause for further checks.

    NOTE: This can also be caused by other activity, such as updates to Google’s algorithm or changes in crawlers behaviour - still, it is worth keeping an eye out for large, unexpected jumps in activity.

  2. Search Operators

    Use the “site:” command to check the pages of your site that Google have indexed - this is probably the most hap-hazard of the methods, although you can use it to search for different keywords within your site and identify any new pages, for example site:yoursite.com (“payday loans” OR “term loans”).

  3. Google Alerts

    Whilst the (above) search operator method works well, you have to remember to check regularly to keep on top of things. Google Alerts is a good way of receiving notifications when the content you’re looking for appears in Google’s Index. You can experiment with the different queries, for example monitor for “viagra” or “porn” based terms as well. If you set up a lot of these alerts you can have them delivered via RSS feed to Google Reader or similar so you have all of your alerts stored in one place.
  4. Change Detection (software)

    You can get someone else to keep tabs on your website for you, for example Change Detection acts as an automated change log which emails you when any major alterations are detected. Using this can be a little hit and miss though, especially if you have a large site that changes frequently - so when you’re setting up an alert you may need to change some of the settings to find what works best for your site. One thing to note is that if you only select “sizeable change” you may miss a lower key hacking attempt.

  5. Google Webmaster Tools (again)

    If you don’t notice before Google does, you will likely receive a message from them warning you that your site has been hacked. Whilst this means you’re too late, if they’ve spotted it, chances are they have managed to remove any penalties your site may be suffering from as a result of the hack - this isn’t always the case though.

Keep an eye on your own rankings/traffic

If you’ve been hacked in a bad way and there has been a tonne of low quality links pointed towards your site there’s a chance your rankings will take a hit as Google applies an algorithmic or manual penalty against your site as a whole, or against specific keywords. Whilst this isn’t always the case, negative SEO attempts have the potential to be very damaging, especially if you don’t have a lot of high quality links to your site already.

  1. Google Analytics

    The best way of seeing if you’ve been impacted is to check the organic traffic in Google Analytics to your website. If the amount of visitors drops then there are potentially many reasons behind this, but it could be linked to hacking attempts. NOTE: There are other possible reasons too, like seasonality, industry trends and other outside factors.

  2. Google Webmaster Tools (yet again)

    Google Webmaster Tools can be used to monitor average rankings, position and clicks within SERPs - this data can be used to indicate any significant drops in your rankings. Be aware that Google makes over 500 updates/changes (see our algorithm update history) a year to its algorithms, so hijacking/hacking attempts could be one element of this

What to do if you Have Been Hacked?

  1. Don’t panic
  2. Get in touch with your Developer - They will ultimately be the ones responsible with clearing up the mess and ensuring it doesn’t happen again - but this doesn’t mean it was their fault! If you are your own developer you’ll need to remove the offending pages from your site right away and get in contact with your hosting company to report the issue.
  3. Request the URLs of the hacked pages to be removed - If the hacking attempt has created unwanted pages on your site then you will want to remove those from Google’s index, or at least indicate to Google that you want them gone. Physically take the pages off your site and have the server return a 410 (gone) response, then use Google Webmaster Tools to request removal from the index.
  4. Disavow - If you’ve had a load of bad links pointed at you you’ll want to ensure they’re disavowed, this is the best way to distance yourself from them and tell Google that you don’t trust them. There’s a lot of different thoughts about the disavow links tools Google and Bing have provided, however if you’ve taken the time to identify the links you think are damaging, submitting these to Google will make you doubly sure that these aren’t just poor quality SEO activity.
  5. Reconsideration request - You shouldn’t need to worry about this if Google is doing its job properly, but if you have received any unnatural link warnings (through Google Webmaster Tools) and you have reason to believe they haven’t notified you of any hacking/malware attempts then you may need to submit a reconsideration request to have your site re-evaluated. This can be a complex and long-winded approach, although in some instances it may be needed.

And Finally…

Whilst incidences of this kind of hacking have been rising as certain niches embrace more “black hat” tactics for their own quick wins, this isn’t some kind of SEO pandemic so don’t get too paranoid about this. If you’re concerned that you may have been a victim of this kind of hacking or similar then get in touch, we’ll help you get to the bottom of this.

At High Position, we advocate conducting regular audits, checking on-page and off-page issues as it can give a far greater insight into the overall SEO health of your website - this is the best way of picking up issues as quickly as possible.

Do you have any experiences with this kind of hacking attempt or found yourself a victim recently? Perhaps you have other ways of monitoring/protecting your website against these tactics? If you have a story to tell, leave it in the comments below - it’ll be great to hear from you!

 

7 thoughts on “Getting on Top of the “Payday Loans” Site SEO Hacks

  1. Hi Chris,

    Nice article. I wrote in the past a few articles on the subject. They detail how exactly this is going on ( as a technique).

    Here they are :

    http://cognitiveseo.com/blog/1075/black-hat-seo-technique-exposed-payday-loans/
    http://cognitiveseo.com/blog/1914/new-black-hat-technique-beats-the-google-penguin-and-emd-updates/

    Indeed monitoring your site for hack attempts is crucial. Best think would be to checksum your file directory and have a script validate that checksum daily.

    Just me 2 cents.

    Cheers,
    Razvan

  2. Hi Razvan, those case studies are an excellent read and certainly an eye-opener as to the sophistication of these types of “back hat” (“crap hat”) tactics!

    Thanks for getting in touch and for your two cents of the matter; I know it’s a well trodden topic, but it’s recent media exposure and the addition discussion can make a difference for those who are concerned that may have (or may be) a victim of this.

  3. This morning I’ve come across yet another type payday loan related hacking but in a more basic form. In this instance the malicious code affects website seemingly running Joomla 1.5.

    The hack is simple. The malicious code inserts the text “By PDMAMLS” followed a hyperlink with the anchor “payday loans uk” linking to payday-mama.co.uk. See for yourself - https://www.google.co.uk/search?q=%22By+PDMAMLS+payday+loans+UK%22.

    The issue clearly stems from a security vulnerability within Joomla however it would go unnoticed to the naked eye. It should be relatively simple to overcome but will inevitably require some development time to identify the root cause and remove the infection.

    This is nothing new! Injection hacking like this has been around for a long time but the sad thing is that this technique appear to be working. As I write, payday-mama.co.uk resides at position 1 within a UK Google search for ‘payday loans’ before 301 redirecting to purplepayday.com with an affiliate ID.

    If you’re running Joolma 1.5 you may wish to check for this type of hack.

    1. Disable JavaScript and CSS within your browser (see the browers help files if you’re not sure how to do this).
    2. Search on the page for ‘payday loan’ or ‘PDMAMLS’.
    3. If you find a malicious hyperlink contact your developer immediately, or seek alternative help.

    Clearly Google still have some work to do to overcome the payday loan thieves!

  4. Chris thanks for a very useful post - one of our news sites was hacked late last year (not with the payday loans as you describe in this post though) and it was quite a nightmare getting everything restored from backup. We’ve since been using the Wordfence plugin which is a bit resource intensive but seems to be quite effective in detecting file changes and unauthorised activity on WordPress-based platforms.

    • Hi Sizwe - glad you got everything under control in the end. Which plugin was it you ended up using to track any changes? I guess the trade off in resources used against being able to keep on top off any unauthorised access is one that needs to be considered.

  5. Chris I thought it was jut me who faced a similar attack. It wasn’t from any PayDayLoan site rather it was from a Casino site which I didn’t look at.

    I think and have read somewhere that having default admin username is not the right way to set up your wordpress site.

    • Having default User details on any CMS is not a great idea, it makes brute-force attacks all the easier for any botnets lurking out there.

Leave a Reply

Your email address will not be published. Required fields are marked *