in Search

[CASESTUDY] Hacking Joomla Plugins to Rank No.1 in Google for ‘Payday Loans’ in Under 4 Weeks

* Skip to the end of the article if you want to learn how ‘Payday Uncle’ ranked number 1 in under 4 weeks for ‘payday loans’ in Google UK.

I’ve been doing a little research into the payday loan niche recently. Payday loan rankings are an extremely competitive arena littered with thin spammy affiliate sites with crappy loan conditions.

The big players such as Wonga, PaydayUK and Quick Quid are spending tens of thousands a month on SEO, PPC and Affiliate campaigns to battle for position on these high value keyword phrases.

Obviously they wouldn’t have those budgets if the ROI on search was bad. People searching for ‘payday loans’ are looking to secure a loan, and conversions from ‘visits’ to ‘pay outs’ are in the region of 2-5%. Once you look at the APR these firms charge, you see how they quickly turn a profit if they have traffic.

Borrowing £400 from will mean you have to pay back a whopping £525.48, 30 days later.

This opportunity to make money attracts another crowd – the affiliates. Affiliates will be paid, on average, £25 for each lead that converts to a confirmed loan payout. Often more.

The big affiliate’s are making serious bank (5 figures) each month just for passing on leads from their websites ranking in the search results. Even the small guys can make good beer money with rankings on the long tail.

The bulk of the affiliate sites I’ve seen in the search results (both organic and PPC) are built with a 3-4month outlook before 1 of these happens:

  1. they are replaced by another competitor
  2. they have their Adwords account suspended for breaking PPC guidelines
  3. they see a drop in rankings as their short term link building efforts catch up with them.

They are junk sites with no value add to visitors, but these guys know the game. They don’t expect to see one of their websites still ranking in 12months time, it’s the “churn and burn, pump and dump whatever the f*** you want to call it” model:

  1. register new domain
  2. upload a cookie cutter template, with lead gen form connected to a loan affiliate scheme
  3. pump/hack a load of backlinks to the domain over a 2 week period
  4. enjoy the commissions for a few weeks
  5. continue trickling more links to increase rankings
  6. go back to step 1

Rinse and repeat. Call it what you want – black hat, crap hat – aside from the monster financial sites like, it’s how the vast majority of payday loan affiliates you see today in the search results are operating.

So lets look at a case study.

Enter “Payday loans” into Google UK and we see “”, that well known financial establishment in the UK, ranking number 1 for one of the most competitive keywords on earth.

To put this into perspective, the Google Keyword Tool claims the phrase “payday loans” gets 200,000 searches a month in the UK. The Google Keyword Tool is always wrong, so lets say 25,000 searches a month to be conservative. Converting 2% of those visitors (500) would mean commissions in the region of £12,500 a month. 1 website, 1 keyword.

"LOL" at the Google Adwords domination for this keyword. Tsk, tsk Google.

“LOL” at the total Google Adwords domination for this keyword. Tsk, tsk Google.


Step 1: Register new domain

Well it certainly is new – the whois check shows Sharif Mamdouh from Egypt (real details?) registered the domain on the 15th November 2012, and like all reputable establishments, for a registration period of one year:

Wait, what?! That's like only last month...

Wait, what?! That’s like only last month…More on that later.

Step 2: Upload a cookie cutter template…

Quite funny how all the affiliate guys are using exactly the same format, from a front end perspective, to maximise lead generation:

  • Some sort of ‘cute’ cartoon to distract you from the shocking reality of a payday loan
  • Lead capture form or ‘apply now’ button to drop affiliate tracking as soon as possible




  • A load of spammy text ‘below the fold’ to accommodate loan related keywords to tick the boxes in the eyes of the search engines. This text isn’t intended to be read by humans but helps with ranking for the target keywords and similar alternatives.



  • Navigation consisting of pages filled with fluff content to convince you (and Google) they are a reputable business and not just another thin affiliate site, for example ‘About us’ ‘FAQs’ and ‘Contact Us’


A contact page with no phone or business address - chances are it's run from a bedroom.

A contact page with no phone or business address – chances are it’s run from a bedroom.

  • Fake customer reviews and testimonials. E.g: “Fast, simple and effective. Highly recommend PaydayGutterLoans! – J.Smith, London”.
  • Links to social media accounts to provide ‘proof’ they are genuine. The truth is they are often automated accounts with fake followers purchased from Fiverr. Seriously – who on earth would ‘like’ a Payday loan website anyway?
  • “This site is like really super secure” style logos in the footer. The problem is, you should be able to CLICK on these Verisign/GeoTrust logos to verify the website you are on. Affiliate sites just use the logo image, and are not verified.



Step 2 Continued: …lead gen form connected to a loan affiliate scheme

Under the hood of Payday Uncle is a regular old ‘pinging tree’ affiliate program which does the following:

A pingtree describes a panel of online lenders, lined up in order of who pays the greatest commission. As a lead or customer completes the application form and clicks submit, their details are passed across this tree of lenders until a real time acceptance is given by one of the lenders.

Or to put it another way, once a lead completes the form they’re bombarded with phone calls to sign up for a loan. For the front end user, they are unaware they are being pitched to over a dozen loan providers:

The standard iframe form that does the rounds on affiliate sites.

The standard iframe form that does the rounds on affiliate sites. Did you also spot the fake ‘secure’ label as discussed in Step 2? You pro!

… Look into the code however and we can see the application form is just an iframe provided by the third party GBCF, owners of the popular affiliate program EPL Web Solutions:


Just some of loan companies that will contact you! Sweet!

Just “some” of the loan companies that will contact you! Sweet!

Step 3: Pump/hack a load of backlinks to the domain over a 2 week period

This is where the casual affiliate sites differ from the pro’s making serious cash in this niche.

The casual guys will follow some form of crappy link building strategy, for example Payday Highway have submitted junky free press releases about a ‘super fast online cash funding service‘ to generate backlinks and pass off as an established business. It’s just the same old affiliate iframe from EPL Web Solutions on the application page.


Payday Highway have also somehow been accepted into Crunchbase, bought blogroll links and put some effort into social media. It works to some extent, however they lean on the ‘dodgy’ side of things and Google will catch up with them eventually.

But our case study, Payday Uncle, isn’t using your regular crappy link building campaign.

The guy is ranking number 1 in Google for ‘payday loans’ within just 4 weeks – that doesn’t happen ‘naturally’ or by using Xrummer and SENuke.

Look at the Opensite Explorer report and the domain has 1/100 authority…

Worthy of a number 1 ranking for Payday loans?

Worthy of a number 1 ranking for Payday loans?

And when we look at the link graph report from Majestic SEO, we can see some serious link building activity happening just days ago around the target phrases.


Nice 'natural' anchor text pie chart. Not. 82% of links have the words 'payday loan' or 'payday loans' in them. Hmmmm.

Nice ‘natural’ anchor text pie chart. Not. 82% of links have the words ‘payday loan’ or ‘payday loans’ in them. Hmmmm.

Government and educational domains using 'payday loans' as anchor text to a single page?

Government and educational domains using ‘payday loans’ as anchor text to a single page?

16,910 backlinks from all over the world. Woah.

So lets take a look at some of these links pointing to our favourite Payday Uncle:

… The list goes on, but they are basically pretty regular looking websites, with nothing to do with Payday Loans. However the links to Payday Uncle are not visible on the page to front end users, they are being hidden with CSS – but in the code we can see them:

The same format is used on the all the sites, links only visible in the code wrapped in the same class tags

The same format is used on the all the sites listed above. The links are hidden using a “position: absolute; top: -999px;” CSS style and some JS.

So what’s happening here?

Simply put – the sites have been hacked.

There are many ways to hack a site, and they have been covered recently in the excellent post from Razvan at Cognitive SEO. But in this case all the links checked are websites running Joomla. While hacking older versions of Joomla is certainly possible, it is more likely one of the plugins installed to add more functionality to the website. The irony is Payday Uncle is also running Joomla.

And what do all these external Joomla website have in common?

They all have the lovely looking ‘Autson Skitter Slideshow‘ image gallery plugin installed… which was updated recently with the following:

“Includes hidden backlinks to developer.”

So how’s that for a link building technique – build a plugin, get it popular in the Joomla Extensions Directory, wait for it to be installed by unsuspecting webmasters, and then start dropping your backlinks.

After a little more digging, it appears the company behind building these plugins is a web development firm named Autson, who have a number of plugins in the JED.

I don’t know if Auston are solely responsible – maybe their account has been hacked/sold, but I’ve reached out to them to comment on this article. It’s clear however that the links that are being placed are in rotation with others as reported here and here… So is Payday Uncle just their latest project?

The problem is, this plugin still remains available to download from the Joomla Extensions Directory. A lot of webmasters won’t give the ‘Includes hidden backlinks to developer‘ note in the friendly yellow tinted box a second look or understand they are inadvertently installing a spam plugin. Why would they? Joomla promotes the spam plugin with resounding praise – a ‘popular’ stamp and a 4.78 out of 5.00 rating from 125 users. Only 1 out of the 20 reviews on the first page mention the hidden treasure incased in this plugin.


Joomla just isn’t doing enough here. At the very least make the yellow tinted box a dark hellish red with a bomb/skull icon to represent the time left in the Google index after you install the plugin, to the left of the revised warning text.

However, the bigger issue is even if this plugin is removed from the JED, it still remains on hundreds of websites that originally downloaded and installed it. I highly doubt Epping Forest (one of the hacked sites) even know they are indirectly in violation of Google’s quality guidelines by cloaking and are at risk of having their website removed from Google.

So, who is going to take responsibility for this?

Joomla? – Well they’ve already done their bit and added an ‘Editor’s note’ to the plugin.

Google? – They might send a ‘your site has been compromised’ email out to admin@, info@ etc etc, but I’ve only seen this when either: A) the site has Google Webmaster Tools installed, or B): The site is really up shit creak and has obviously nasty stuff (like automatic downloads/redirects/malware etc) that damages the user visiting the website. Epping Forest doesn’t fall into either of these options.

The Web Agency? – They should only install plugins they have experience with using for clients. When they sold the ‘OMG a free 1 click install CMS’ to the client they need to also educate them about the risks and importance of regularly checking for security updates. It’s the responsible thing to do. Having a small print disclaimer about your lack of ‘responability’ for the stuff you are selling is not good enough. Every opensource CMS you sell should come with a fair maintenance plan to update old plugins and instances of the CMS.

Epping Forest? – Yes partly, through lack of incompetence they assume (wrongly) that you can build a website using open source code and expect to never get hacked. They also won’t pay a web maintenance fee because they deem it expensive and unnecessary as no one would hack a website about trees. They are also a government run website, making it far less likely a budget for £15 to ‘replace homepage image slider to remove cloaking vulnerability’ would get approval.

I digress.

Should Google take note of this hacking technique? Probably.

Should Google and Joomla/Wordpress/’insert CMS here’ talk to each other? Probably.

Should Google receive updates about plugins and templates that are in the JED which directly impact and manipulate the search engine results? Probably.

At the very least a member of the Google spam team should setup a Google Alert for ‘Includes hidden backlinks to developer’.

But that isn’t happening. Only once Payday Uncle gets manually reviewed by Google and is manually deindexed, our favourite Uncle will cash in on the commissions and will use the same technique over and over on the next domain name, but this time from the comfort of his affiliate funded villa in the Seychelles.

By the time this post gets coverage the domain in question will most likely be toast, but you can count on the next wave of sites moving up the rankings to take a slice of the payday pie.

26/12 UPDATE:
The hacked websites I mentioned above all used the ‘p class=’dnn’ tag to contain the hidden links, however the latest links that have been reported from Majestic SEO show the p class has changed to ‘nemonn’, for example:

Nemonn is a much larger hacking exploit linked to outdated Joomla and WordPress installations that is rearing its head on the WordPress message boards and appears to also be related to those that are also hosted with GoDaddy (not confirmed).

Our favourite Uncle is also diversifying his backlink profile and has strong rankings for a number of the target keywords:

  • payday loans
  • payday loan
  • payday loans uk
  • payday loans online
  • payday
  • uk payday loans

More updates to follow.

31/12 UPDATE: PaydayUncle is Toast… Enter Payday Hawk!

Payday Uncle has been ditched from the SERPS (must have happened in the last 48hours) and is no longer ranking for the terms above. The pages are also 404’ing for me, so maybe the webmasters have nuked it completely following the ranking drop.

However, now we have ‘Payday Hawk‘ ranking number 1 for ‘payday loans’… and it looks strangely familiar to the old Payday Uncle website:


On the application page, the lead capture form is also using the same affiliate tracking code as Payday Uncle.

Looking at the backlink profile, we have exactly the same footprint we witnessed with Payday Uncle from the referring domains, such as, which are hacked Joomla plugins with the dropped links within the ‘nemonn’ tag.

What’s more, our original backlink examples referenced (E.g. Epping Forest) have been switched over from Payday Uncle to Payday Hawk. It baffles me how easy and effective this technique is, and yet Google still hasn’t woken up and started to police these high value keywords.

More updates to follow. Most likely along the lines of ‘Payday Hawk is Toast… Enter Payday x

7/1 UPDATE: Payday Hawk is Toast… Enter Payday Joe!

Seriously this is getting ridiculous…

9/1 UPDATE: Welcome Payday Dad!


14-21st JAN UPDATE: And more spam sites just keep on coming, Daddy Payday and Payday Mom both registered on the 3rd Jan – same affiliate id, same link footprint, same tactic to exploit Google’s algo…



… I guess as they are now using Payday mom variations they ran out of male domain names!

The story continues…

  1. Andrew – awesome write up and very interesting analysis, scary google still cannot detect this spam!



Comments are closed.