Monday, September 26, 2011

Payday Loan Scam Site

I'm a sysop for the Freakipedia, a small Wiki dedicated to Distorted View, a hilarious, juvenile podcast that makes Howard Stern look like Pat Robertson. The bulk of my responsibilities amount to deleting spam. This once took about 5 to 10 minutes every few days. One day the podcast host, Tim Henson, announced that his father had terminal liver cancer and that the show would go on hiatus for a while. Within 48 hours of that announcement, the Wiki received more spam posts than it had gotten in the previous two to three months. The pattern was predictable. There would be an initial rash of posts linking to the spamvertised site and other vandalized Wikis, which would in turn link to the scam site being advertized at the moment. One URL kept cropping up more often than the others, I decided to do a little research.
As the following text will show, is probably not a legitimate business. If the site itself will not try to steal your identity, it's designed to process your data with absolutely no security between you and their server. The site uses none of the security it claims when receiving your data and will not protect you in any way, shape or form. Even if by some miracle the site is legitimate, their fee structure results in interest rates that are no better than a cash advance through your credit card company.

If you need money badly enough to consider the services of, get a cash advance or loan from your credit card company.

The first thing I noticed was that when you try to leave you get a bevy of popups trying to get you to stay.
These come up after trying to leave home page. You haven't even entered any data and the site is trying to warn you not to leave. It does this repeatedly. Right off the bat we have a major red flag. Legitimate sites do not harass you about leaving.

Let's go on. Below the "Apply Now" button you see this text:
OK, that's nice, but the site hasn't loaded over SSL.

Even if the server itself is configured to support a secure connection, your data won't be encrypted unless you load the page using HTTPS and not plain, unencrypted HTTP. The "Apply Now" form asks for a first name, last name, email address and the amount of money you want to borrow. I filled it out with fake data and was immediately taken to a form asking me for my bank information, birthday, social security number and address, that still wasn't encrypted. It's not that hard to redirect web visitors to the secure version of your site if one exists. The popups trying to keep me from leaving the page take more technical skill than redirecting visitors to the secure version of a site. Even a lazy developer could at the very least have the form submit the data you enter over a secure connection, even if the form doesn't load over one. I took a look at the source code behind the form submission, and even the from asking for your social security number and birthday wasn't submitted to a secure page. The URL was hard-coded into the page. This means even if you manually enter through a secure connection your data will be routed to an unsecured connection when you try to submit it.

I decided to try manually loading the page over a secure connection to see if one even exists.This is easy to do, you just change the HTTP to HTTPS in the browser's address bar.

The moment I hit enter I got the same list of popups I got when I tried to leave the site in the first place. Grand.

The next thing I saw was yet ANOTHER red flag.
What the Hell?

To understand why this is a problem, you need to know a tiny tablespoon of information about SSL. SSL, the encryption that protects data in your web browser when using your bank, or other sites uses a secure certificate. This certificate is "signed" by a root certificate vendor, such as Verisign or Godaddy. These root certificate vendors have the job of making sure the people who buy certificates are in fact who they say they are. Without this system a random hacker anywhere in the world could buy a certificate claiming to be, for example, Microsoft. A self-signed certificate in this situation means the people behind couldn't cough up a hundred bucks or so and wait a day or two for the certificate vendor to verify their identity. This is not the behavior of a legitimate business, but of a scammer who knows that the process of validating his business would reveal him as a con artist. There are legitimate uses for "self-signed" certificates. Intranet sites within a business for example will often use them. They're also common in development environments. Putting one into production as has done is, at best. rank incompetence. You do do NOT want these people handing your personal data. Even if a legitimate business they appear to lack the computer skills to secure your identity information.

But wait, there's more! Check out the text "The certificate is only valid for Parallels Panel". What does this mean? Glad you asked. Parallels allows you to run other operating systems in a virtual environment. The use of a Parallels Panel certificate means whoever put it on the web server didn't even bother to generate their own Self Signed certificate but stole a random certificate from a different product.

Remember that hard-coded URL in the form asking for your social security number, bank routing information, home address and birthrate? Even if you used this invalid SSL connection to load that form, your data would STILL be submitted unencrypted. This is pretty much an identity thief's wet dream. If you wanted to design a site that would maximize the risk of someone stealing the data submitted, then would be the perfect example.

I'll use a home security analogy to explain what's going on here. Imagine your bank's web site is a house. It has a security system, auto-locking doors, censors on all the windows and doors, motion detectors and a guard on duty. There are signs on all the windows and doors warning that the home is protected by a security system. has windows with missing panes and a door made out of balsa wood. The locks that are present were stolen from a nearby shed and the people behind don't have the keys, but that's OK to them because the locks fall open again the moment you try to lock them. There's a piece of cardboard out front. Scrawled on it in crayon are the words "guud sekurity sistem. yur moneys saf with us."

Both the bank and the shack your name, birthday, home address and social society number

The final nail in the coffin comes in the form of their fees.
This translates into a 15% to 26% interest rate on the loan. That's on the initial rates they advertise to get you to apply!

Don't do business with They advertise through online spam posts and vandalism, their web site has NO security to protect your data when you submit it, the site design has a number of major red flags for scam activity and their rates are no better than using your credit card anyway. Why risk becoming the victim of identity theft for no financial benefit over using your credit card?

1 comment:

Anonymous said...

Hey asshole try using a service before nickin it. youre just butthurt because they turned your bankrupt ass down.