“Hello, Is This the Writing Center?”: Illicit Paper Mill Activity and the Compromised Recomposition of College and University Websites

Contributor: Jim Ridolfo, William Hart-Davidson, and Chris Lindgren
Affiliation: University of Kentucky, Michigan State University, and Virginia Tech
Email: ridolfo at gmail.com. hartdav2 at msu.edu, lindgren at vt.edu 
Released: 14 December 2021
Published: Issue 26.2 (Spring 2022)



In this webtext, we highlight how college and university websites are increasingly under attack by bad actors working on behalf of paper mills. Paper mills are companies that sell academic writing meant to satisfy the requirements of a writing assignment. For the last three years, we have noticed an exponential increase in instances of compromised college and university websites that target students and redirect them to paper mills.1 These redirections would be as if a paper mill posted an ad about their services inside your brick-and-mortar writing center, department, or bookstore, causing some students to walk past legitimate educational services and into the paper mill's shop. As our title suggests, these redirections are so subversive that students have been reported as confused about a paper mill's affiliation with their academic institution, posing such a question as "Is this the writing center?"2

This targeted redirection problem has only gotten worse. As recently as 2018, academic integrity scholars such as Sarah Elaine Eaton (2018) have noted how paper mill companies target community organizations, and, as early as 2016, security engineers such as Tom Liston (2016) have identified how hackers compromise WordPress instances to upload PDFs with paper mill links as means to bolster their search engine optimization strategy. However, to our knowledge there has been no published and systematic attempt to study the scope of the problem on college and university websites. While many universities and the more than $2 billion dollar plagiarism detection industry have focused on scanning student work into their databases to surveil students and identify plagiarism, they unfortunately have missed a major part of the academic dishonesty picture: a low-cost and rapidly growing illicit digital infrastructure that's weaponized to exploit university systems, deceive students, and drive traffic to paper mills. While scholars in writing studies have been researching paper mills since their earliest days on the web (Ritter, 2005, 2006; Howard, 2001, 2007) and long before (Pemberton, 1992), we think that the tactics outlined in this article cross a clear line between what’s legal and illegal.

Ritter (2006) described how paper mills are not a new phenomena and have persistently adapted their tactics of collection and delivery, as internet and web technologies have allowed. She noted how papermills rationalize their services by preying on student pressures to succeed, where writing assignments are framed as "boring and 'irrelevant'" (pp. 35-36). She summarizes her experiences with paper mills below:

When we examine the rhetoric that paper mills continue to use online, in their capacity as nationally advertised companies that gain student-clients from all over the country, we can see that not much except the method of delivery has changed for the paper mills since the pre-Internet days of my youth, in which such companies were housed in shabby houses on the edge of college campuses and staffed by apathetic undergraduates whom one saw on campus occasionally but, of course, never personally knew. The companies are still operating relatively anonymously but with the bravado of a high-profile corporation, as they hoodwink students—their customers—into believing that cheating is “OK” because of both external and internal pressures for students to succeed in the face of a bleak job market, unfeeling and impersonal professors who are part of the university machine, and, perhaps most important, the prevalence of boring and 'irrelevant' writing assignments. (pp. 35-36)


Ritter (2005) engages questions and issues about how students lack their own conceptions of authorship in university context. She has asked the discipline to understand this position "between student authors and consumer culture that dictates the role that writing plays in one's college career" (p. 603). This research problem is meant to help our discipline better "explain why the online paper mills consistently, even exponentially, profit from our students' patronage" (p. 603). Our study does not engage the student angle that Ritter pinpoints. Yet, our scraped Google search data shows how these paper mill attacks are systematic, illegal, and have direct implications for writing programs and universities. We identify 7 specific ways that university websites have been compromised by paper mills, which we argue requires the cooperation between faculty and IT professionals to educate each other, so we can prevent institutional IT networks from being weaponized against our students. 

Key Findings 

  • In the last three years, actors working to the benefit of paper mills have crossed over from ethically questionable yet still legal advertising practices to the systematic and illegal compromise of university websites.3
  • Actors4 using botnets to the benefit of paper mills are infiltrating university systems via well-known vulnerabilities in their content management systems and in some cases replacing the university content with illicit paper mill materials.
  • Paper mills have engaged in social engineering, by publishing resource lists5 such as “A list of scholarships for female students” or “A list of scholarships for students with special needs” aimed to persuade students with some legitimate information that is made available by university resource pages. This social engineering or “compromised recomposition,” what we define as instances in which a writer appears to have unknowingly recomposed and recirculated deceptive paper mill materials, includes fake scholarship/essay contests designed to harvest original student work.6
  • Illicit paper mill activities are cheap to deploy because they use automated botnets and take advantage of known electronic vulnerabilities, and not surprisingly they are increasingly widespread.


For our first proof of concept pilot from November 30 to December 2, 2020, we compiled a list of 14 paper mill domains, a fraction of the total digital paper mill infrastructure. We then used site:edu search terms for each domain to scrape over 500 Google search results that included hundreds of links to compromised university websites (see Figure 2). We then cleaned a sample batch of *.edu data containing two paper mill domains and used a grounded theory approach of open coding to refine our categories. The cleaning included removing duplicate search results as well as coding dead links as “Not active.”7 We then cleaned and coded the remaining 12 domains based on the status of the attack (active /not active) and the type of attack.

Table 1. Frequency of a paper mill’s URL in the third sample within Google’s indexed results.

Paper Mill URL WHOIS Registration Date Results
Essayontime.com 2005-09-17T14:54:50.00Z 35
Essayoneday.com 2015-08-13T10:31:00Z 20
Essaypro.com 2000-02-20T08:46:52Z 17
Proessaywriting.com 2012-10-12T08:17:22Z 14
Essayassist.com 2008-05-17T00:12:02Z 13
Bestessays.com 2003-09-25T09:57:30Z 7
Power-essays.com 2015-08-13T10:30:58Z 6
Superbpapers.com 2006-04-21T07:00:00Z 4
Essaypro.cc 2020-09-14T08:32:52.00Z 4
Reviewingwriting.com 2007-10-21T13:50:02Z 3
A-writer.com 2010-04-14T20:09:47Z 2
Iqessay.com 2017-05-09T08:15:53Z 2
Write-paper-for-me.online 2019-11-27T12:31:38.00Z 2
Paper-helper.org 2017-03-03T11:02:48Z 1


Screenshot 93

Fig. 1. A combined geocoded map of the December 2, 2020, data of compromised college and university domains. View all map data here. View interactive map here.

We released the pilot data to Twitter on February 14, 2021, in order for colleges and universities to immediately patch compromised resources. Since we released the pilot data, we have seen a steady number of sites patched via direct notification and media generated by the report. However, as of April 8, 2021, 67 compromises remain active, pointing to a broad cross-institutional challenge getting largely North American colleges and universities to address these issues. Based on the initial pilot data, since February 2021 we have conducted two additional samples. The second sample was a check of the .edu.au domain at the request of academic integrity researchers Cath Ellis and Kane Murdoch at UNSW Sydney to understand how other country *.edu TLDs are targeted. In the Australian dataset, we identified 179 instances on the *.edu.au domain space and published a March 2021 addendum to our original report. Unlike the *.edu namespace, Australia has greater oversight of higher education, and the Australian Government’s Tertiary Education Quality and Standards Agency (TEQSA, 2021b) quickly released a response with institutional recommendations and began contacting all affected institutions. Additionally, we also received an institutional response from AusCERT, a nonprofit cyber security response team at the University of Queensland that works with Australian universities. Both of these coordinated responses could be potential models. We also note that while Australian colleges and universities had fewer instances of server-side compromise, actors working to the benefit of paper mills resorted to SEO workarounds such as Search Query pages outlined in the next section. After the Australian sample, we completed a much larger third sample of the *.edu TLD looking at 19 paper mill domains on March 3, 2021 (see Table 1). For this third sample, we used Python's scrapy code library and Google's Search API (Application Programming Interface) to collect 996 instances of *.edu compromise to the benefit of 19 paper mill domains.

Findings from the Third Sample: Types of Attacks

In the third sample, we identified seven types of ethically questionable tactics that are used to boost paper mill SEO results on compromised university websites, and in one category harvest student work under false pretenses. These tactics accomplish more than only boosting a paper mill’s search-engine ranking. Depending on the type of injected content, some attacks rhetorically phish, pharm, or spoof intended audiences into thinking that their services are legitimate. Additionally, false positives accounted for approximately 9.5% of the corpus. Even though these are not paper mill attacks, we discuss how these resources unintentionally bolster paper mill rankings. Below, we provide a brief example of each type of attack. We encourage readers to also browse the interactive map or data set for additional examples.

Uniform Resource Locators (URLs)

1. Search Query Language (SQL)8 redirected links (108 attacks, 10.84%). For the perpetrators, this attack is easily automated with coded scripts, which target identified SQL injection vulnerabilities on university servers. In this attack, web traffic visiting specific URLs on a university website are automatically redirected to a paper mill. In Figure 2, see an example of a page from utah.edu redirect to essayassist.com.

Fig. 2. A no longer active redirect from the first data set from utah.edu to esssayassist.com
2. Search Query Pages (433 attacks, 43.37%). In the examples below (Figures 3-4), students are forced to identify and distinguish compromised content from legitimate content on a university website’s search results page. Paper mills use a combination of the search URL query (‘s=’) and the templated university “search not found” page design scheme to create indexable, banner-like content. Consequently, even if no one visits this exact page, Google is currently indexing these pages in their results.
Pm Example Search Page Query Cornell  
Fig. 3. A screenshot of ciser.cornell.edu’s search result page. Note how Cheapapers.com uses the search query parameter (‘s=’) of the URL to render this indexable web page.
Video 1. A video describing how a search query index attack goes from Google to a grammar school website in Australia.


Webpage Regions

The following attacks involve a range of regions and length of content on webpages. They each typically involve different types of web technologies to produce them, which may help isolate areas to monitor in the future.

3. Bot Comments (152 attacks, 15.26%). In this scripted attack, bots are targeted against discussion thread software and content management systems, such as event pages or WordPress installations, which are configured to allow open account creation and/or anonymous comments. In Figure 4, see some example comments by bots that propagate paper mill content and links.

Olc.edu Bot Comment

Fig. 4. A screenshot of a discussion thread on olc.edu that is propagated with botnet paper mill comments and links.

4. Social engineering: Compromised recompositions (24 attacks, 2.41%) & Unvetted Resources (4 attacks, 0.40%). Rather than create smaller units of information, such as URLs or bot comments, these attacks either create more extensive pages of content on the compromised site (24), or involve phishing universities to post unvetted resources (4) on sanctioned university websites. These injected pages legitimize paper mills by critiquing the often-assigned essay assignment. They also normalize their use with claims such as “most university students need paper mills eventually.”

Video 2. A formerly active example from the first sample of "compromised recomposition'" on West Virginia University's College of Business and Economics scholarships page, redirecting students to a questionable scholarship contest on essayontime.com.au

Unvetted resources involve the sanctioned advertising of essay contests and scholarships on student resource pages, which are linked directly to college university website student resource offices. These unvetted resources are most likely the result of phishing scams that are not more thoroughly reviewed. Indeed, one university spokesperson is on record indicating that such resources were accepted and shared “in good faith.” (qtd. in Ross, 2021). It’s often university resource office webpages that are unintentionally directing students to essayontime.com.au pages. (See this spreadsheet for numerous examples.) These university offices are meant to support vulnerable student populations. Instead, we worry that they are inadvertently doing students a disservice, as well as allowing their essays to be harvested for Essayontime’s benefit.

5. Content snippets (6 attacks, 0.60%). Rather than produce entire pages of content like the compromised recompositions, or redirect users to paper mills, content snippets inject smaller bits of content to boost a paper mill’s ratings. For example, on a blog post about using technologies in the ESL classroom, the following URL was injected to replace a short snippet: “... Marta Dowson, a senior educator from Proessaywriting.com, says that lessons could involve the use of the latest software and applications for professional use that might be used in the workplace” (emphasis added, attack ID 151). While no anchored link exists, this snippet targets their URL next to other keywords like “senior educator.” Overall, this attack is not nearly as prominent as others, but it was certainly difficult to identify and understand within its new context.

6. Fake user profiles (3 attacks, 0.30%). Fake user profiles are slightly different from bot comments. Whereas bot comments involve fake users that yield comments in comment-thread technologies, fake user profiles target indexable profile pages. Three results from the third scan indicated how some paper mills are creating user profiles that include the paper mill’s URL in their description (see Figure 5).

Mit Scratch Essay Assist  

Fig. 5. Screenshot of a fake user profile on MIT’s Scratch: an online computer coding platform for kids (2021).

Other Types of Attacks

7. PDF Files (111 instances, 11.14%). The seventh type of attack included PDF files, which were identified within Google’s indexed items. At this time, we are uncertain if any or how these files could prove to be malicious or not. However, this file format is susceptible to injected scripts and other content injection tactics (cf. Liston, 2016). For instance, blackhat SEO strategies include backlink building. Backlink building involves the effort to increase the rank of a page by its connections with other sites. For example, in the context of this case, University page A links back to Paper Mill page B, due to one of these seven attacks. While we have yet to confirm any particular attacks with these PDF files, this file format has previously been used to inject keyword soup to influence Google’s PageRank algorithm (Maupin, 2015). We were able to verify at least 4 PDF files that seemed to yield false positive results (read more about false positives below). For example, one result included a master’s thesis in our own discipline devoted to a novel writing evaluation software called “Essay Assist” (attack ID 15), while another was a research article that included paper mill URLs (attack ID 39). Another PDF was a course packet that showed up twice in the results (attack IDs 536 & 953), which ironically included a webpage printout with an advertisement sidebar loaded with paper mill URLs. These PDF files also require further analysis.

8. False Positives (59 instances, 5.92%). False positives accounted for a notable portion of the indexed results. False positives include search results that are not genuinely identified attacks by paper mills. Instead, false positives include content that unintentionally bolsters paper mill signals and search engine ratings. Some of the false positives included academic articles archived by the university, blog posts, or teaching resources that included paper mill URLs. This content argues against these contract-cheating services. Yet, their direct citation of their URLs bolsters those particular paper mills. Other false positives prove to be more complicated. For example, Purdue’s internationally-renowned Online Writing Lab (OWL) showed up under paper-helper.com. While Purdue is not using this URL, they unfortunately host a partnering CHEGG citation machine that uses this language (see Figure 6).

Purdue Owl Research Paper Chegg Citation Engine  

Fig. 6. Screen capture of Purdue’s OWL page about “The Research Paper,” which created a false positive result, due to the keywords used with its embedded Chegg citation engine

Additionally, websites or files may include keywords that align with the unethical SEO tactics of paper mills. For example, Oglala Lakota College showed up in 11 results for essayassist.com, since their site hosts multiple files with language that includes the phrase “essay assist.”

9. Unknown Content Injections (71 attacks, 7.13%). Finally, the third sample included unknown content injections. Most of these results were most likely bot comments with paper mill links, but they were already inactive by the time we were able to code the result—a testament to how these attacks can be remedied quickly.

Attack Patterns

We asked 3 additional questions that might help establish future lines of inquiry about possible patterns of the attacks.

  1. Were there any patterns between paper mills and the types of attacks? If so, what can be potentially learned about such patterns?
  2. What types of universities are paper mills attacking and with what types of attacks?
  3. How many attacks are from more susceptible site installations, such as blogs, event pages, and wikis? And, what kind of attacks were prominent among these identified installations?

For the first question, we compared the paper mill URL against the coded type of attack, while the second question involved testing our data against a separate list of schools on the Carnegie rating system to identify how many R1 and R2 schools were susceptible to these attacks.9 For the third question, we noticed how all of the results are actually subdomains. Subdomains often indicate an independent administration by other associated university units. For example, a College of Arts may have a dedicated part of the main domain for a university: art.arizona.edu is a subdomain of the main domain arizona.edu. This independent site for the College of Arts may be maintained by IT professionals, or it may be maintained by non-IT faculty and staff in units that use user-friendly, yet vulnerable, blog, event, or wiki site installations.

1. Novel attack patterns Six of the 19 paper mills predominantly used the more novel search page query attack. All 6 included approximately 70-80 total attacks, while 4 of the paper mills showed up exclusively as using this particular attack (see Figure 7). We are not sure how or why this is the case. Does it indicate a particular entity behind those URLs that invented that particular novel type of attack, or are they focusing attacks on specific institutional lists? How can more novel tactics help identify the paper mill actors behind the attacks?

Pm Sqp Sankey Compressed  

Fig. 7. A sankey diagram showing the flow of attack-types to particular universities. (See the full Observable notebook.) The animated version above highlights how the following paper mills exclusively used the search page query attack: cheapapers, urpapers, paperwriting, and lowriting. While this diagram breaks down certain paper mill attacks by institutional category, we note that the "other" category here includes two-year and four-year colleges and universities. 

Paper mills are also pressing beyond the typical injected bot comment or redirected link by injecting entire pages as compromised recomposition, as well as phishing universities by contacting them directly to produce unvetted resources. Three paper mill URLs used the compromised recompositions, but of those three, essayassist.com was most prominent (21/24 attacks). Additionally, essayontime.com was the only identified paper mill URL linked to the unvetted resources. By studying the different SEO and compromised recomposition strategies supporting paper mills, can regular targeted scans and visualizations, such as the one above, help researchers identify and work with IT to isolate the more centralized actors?  

2. Carnegie ratings Since paper mills attack universities to boost their link’s credibility, it should be no surprise that there seems to be no discretion about the type of university under attack. Our sample includes a relatively even split between R1-2 universities (47.9%) versus all other universities (52.1%). However, as Figure 8 indicates, out of all of the types of attacks, R1 and R2 universities included 69.52% of the search query page attack. All of the other universities more evenly distributed the more typical forms of content injections, including bot comments, redirected links, and other injections that were inactive by the time of the coding of this data. Again, we are not sure about how or why this pattern exists. Additionally, we are unsure if Google’s PageRank dimensionalizes *.edu domains. However, it may be worth further inquiry.

F10 Search Query Pages Prominent At R1 2 Universities  

Fig. 8. Bar chart that compares attack types against R1 and R2 versus other universities. Search query pages prominent at R1-2 universities, while injected content is more prominent at other universities.

3. Types of attacks on blogs, event pages, and wikis Almost 80% of the compromised recompositions are on blog, event page, or wiki site installations (see Figure 9). Only 5 sites were not of these identified installations, but 3 of those 5 included a peculiar Canvas installation on a subdomain that was suspiciously named “Essay Assist” (attack IDs 0-2). Additionally, if a site was not identified as a blog, event page, or wiki, the attacks leaned toward redirected links, unintended SEO proxies, false positives, and search query pages.

F11 Percentage Of Injected Content  

Fig. 9. Bar chart that highlights how identified blog, event, and wiki site installations were highly susceptible to injected content attacks. Results are percentages of each attack category.

Context: What We Think Is Happening Is Driven by Unethical and in Some Cases Illegal SEO

Since we began tracking the attacks in November 2020 and in the weeks that have passed since we released our first report in February 2021, we have learned quite a lot about what we now understand to be a global, coordinated effort to market counterfeit essays and similar products and services. We are also sure that the problem is likely larger and more complex than we understand it to be today. Nonetheless, we think it is important to explain our sense of the situation, as it helps to provide context for our research methods, our interpretation of findings, and our recommended responses. A concise description of the problem as we frame it for research purposes is that a relatively small number of technology savvy online marketing companies who specialize in a range of what are known as unethical search engine optimization (SEO) strategies, have sought to build a scalable business for themselves by enabling many others to operate paper mills (Bello & Otobo, 2018). Paper mills are places that sell students’ papers, with the implication that they can be turned in as original work. The paper mills each have a unique name and URL, and there are hundreds of them. The SEO companies help to promote the URLs via SEO tactics for “reputation manipulation” that boost their visibility and their reputation in online searches by inserting them into resource pages or other university web content (Xu, Liu, Wang & Stavrou, 2015), or redirecting web traffic from university sites directly to a paper mill page (see Figure 10).

Kairos Network Active Status

  Fig. 10. Comprehensive network diagram of the third sample of paper mill attacks performed on March 3, 2021

Most of these businesses operate outside the United States, though some we have investigated, such as essayontime.com.au, have license to operate within the U.S. by virtue of being registered through a shell corporation in Wyoming. Both the paper mill services and the SEO company use tactics that are ethically questionable at best, and in some cases cross the line into territory that may be classified as deception and/or fraud. Their SEO tactics seem to share similar features as other market categories, such as sale of pharmaceuticals without a prescription (Farooqi et al., 2017). Specifically, SEO companies seek to form multilevel marketing organizations with lower tier operators. The paper mill then fulfills a product or service, while the SEO outfit coordinates the suite of technologies (e.g., scripted attacks and web templates, domain registry, hosting, file storage services, etc.) and marketing tactics across an ethical spectrum, from accepted and legal strategies to more unethical and illegal strategies. If this multilevel marketing formula is correct, it may provide a roadmap for institutions because it suggests that the proliferation of outlets that provide counterfeit papers and other forms of contract cheating are not necessarily invested in undermining academic integrity per se, but are rather focused on low cost access to potential customers. We posit that through the techniques outlined below, paper mills have found a scalable market to exploit using coercive tactics. In all cases where buying a product or hiring a service can be considered to be an unethical or illegal act in and of itself (e.g. sale of unapproved drugs or engaging a service for contract cheating), customers are vulnerable to blackmail if they stop paying. Students are told that if they fail to pay more, their school will be notified that they have cheated, putting their degree status at risk. A similar coercive threat is also present for others in the network all the way up the pyramid, as low-tier operators may fear being reported to legal authorities for fraud. Our investigation seeks to better understand the scope of this digital paper mill problem, and its structure and organization. We examined the unethical SEO tactics used, and we documented these for each attack indexed by Google. Before we offer additional detail about the results, and make suggestions for responding to the attacks, we will explain our methods with the hope that others might find them helpful to extend or replicate our work.

Recommendations: What Should You Do Now?

  1. Check the most recent list (Google spreadsheet) to see if your institution is on it. If it is, check other websites within your network because our list is not comprehensive.
  2. Share this article and talk about it with your colleagues and campus IT, and if you’ve been attacked, your office of university counsel.
  3. Talk to students about paper mills. We need to learn more about who is approaching students and how, under what circumstances, and what the results are.
  4. Update your content management systems’ security features to protect against known exploits. Turn off entry fields that are not used or seldom used. Take other known precautions against SQL injection and similar attacks in your CMS environments.
  5. For academic IT staff: Add automated and manual scans of your college and/or university websites, especially those that offer services directly to students, and do these on a consistent basis—weekly or monthly at minimum—as part of routine scheduled maintenance.
  6. Call for a coalition/body of educators and IT experts.

In the long term, we should also take a more careful look at any assignment that might present an opportunity for outsourcing. We should see outsourceable assignments as suboptimal at best when the learning outcomes and objectives of assignments are to provide students with experiential learning through practice. Paper mills rob students of that learning experience and fundamentally threaten our efforts, as institutions, to promote student success. It is past time to take that threat seriously.

Immediate Implications

We see four immediate implications of our findings that are worth sharing broadly and taking immediate action to mitigate.

Attacks on campus services. The tactics described above are attacks on university services intended to help students succeed. A student who is now learning online seeks out help from a legitimate university service—like a writing center or academic support office—and when they visit the university’s website they are redirected or encounter content that points to a paper mill and are solicited, there, to buy counterfeit papers to “help” with their assignment. Neither the academic unit nor the student would necessarily believe that something is wrong.

Compromise of campus IT systems may be illegal. Fraud may be actionable as well. There may be legal remedies that institutions and, perhaps, coalitions of institutions can pursue against these actors due to the widespread nature of the attacks. We think university counsel offices should work together with campus IT to build cases as a matter of protecting students.

Paper mills gain search engine credibility by proxy. One of the most insidious aspects of these attacks is that they are in most cases distributed and sprinkled across a wide range of institutions. Some of the top-rated U.S. universities were among the most frequent number of attacks that showed up in the Google search results, including the University of Minnesota, Harvard, Stanford, and Penn State to name a few (see Figure 11). Among these results, it only takes a few susceptible site installations to create these conditions. For example, approximately 92% of the attacks on the University of Minnesota’s Hormel Institute and approximately 89% of the attacks on Harvard’s T.H. Chan School of Public Health were WordPress installations. By exploiting susceptible domains as a credible proxy, paper mills are able to boost their search engine backlink rankings.

F12 Top Rated Universities

Fig. 11. Bar chart of the Top 15 universities most frequently represented in the third sample of indexed results

These site installations are some of the easier exploited web technologies to identify and develop a response plan. However, among Penn State’s results, a majority of them included indexed PDF files within their CiteSeerx database of scholarship. Among these results, a-writer.com and superbpapers.com have become associated with phrases such as “a writer” and “superb papers” used in these PDF files. Beyond maintaining a reference list of URLs, how can university IT and search engine professionals manage this mixing of keywords across the paper mill domains and common phrases used in scholarship? Furthermore, the distributed nature of these attacks makes them difficult to spot and identify as a pattern of activity. Ridolfo, for example, was not able to identify this as a possible pattern of activity until he saw four or five discrete examples over the course of two years. He shares this challenge to communicate that distributed strategies such as these may be difficult for IT administrators and faculty to identify when looking at their specific institutions when faced with only one or two examples of compromise. However, the net effect of these distributed SEO strategies helps to boost direct traffic to paper mill websites and simultaneously may increase the overall search engine results for paper mill websites, particularly when co-supported by “false positive” results, such as the ones we have indicated above in the third scan. While we do not know the rate of traffic, we do have the indication that these low-cost attacks are economically viable enough for these actors to pursue it as a strategy.

Campus-wide security plans should be updated to account for this type of activity.  Fraudulent replacement of content can be readily detected on networks much more easily than we have been able to do simply by examining change logs, etc. Many of the vulnerabilities that are exploited in the cases we have documented are well-known and have equally well-documented remedies. But if campuses are not looking for these attacks, they may not be aware of them. We also note that our scan is partial and has focused only on a few outlets selling student writing. This is largely because we come from a discipline that focuses on the teaching of writing. Similar schemes are possible, however, for companies selling exam answers or other content, and there are many, many more paper mill domains than those in our samples. 

Longer Term: Address the Incentives for Using Paper Mills Systemically

Our field of rhetoric and writing has warned of serious ethical problems with paper mills for some time.10 In general, our colleagues encourage institutions, teachers, and students to take a holistic look at what drives the use of these services and to consider an alternate model of what writing assignments are intended to do.11 In a word, they are intended to help students practice. Without meaningful practice, students miss the opportunity to improve. Meaningful practice includes composing, feedback, and revision—and ideally multiple rounds of these. This is the formula that leads to student improvement. But we also want to not accelerate some other worrying trends and arguments about students’ behavior. While some may wish to lay blame on students for their complicity in using paper mills, we do not think that the problems documented here will be solved by either stricter enforcement or more explicit codes of conduct alone. We turn here to the research Staci Perryman-Clark (2018) has done regarding plagiarism and racial bias, and we consider how regimes of electronic surveillance such as plagiarism detection services may also be weaponized against student writers. Writing about her experiences as a Writing Program Administrator and why Students Rights to their Own Language (STROL) “must become a critical component for how we teach students about plagiarism,” she writes that at Western Michigan University,

we notice that international students, ethnic minority students, and even students of lower socioeconomic backgrounds are the ones most often being reported by instructors for plagiarism. Specifically, as a WPA, I’ve found that instructors who reported such students say that they easily detected plagiarism because the writer’s voice and language differed dramatically from the language of the text from which the writers supposedly plagiarized. (p. 232)


For Perryman-Clark, “it is clear that racist and cultural biases not only exist in how we interpret purported plagiarized texts by students, but they also exist in whom we accuse and penalize for plagiarism” (p. 233). Furthermore, Chris Gilliard (2018) reminds us to question

the growing number of education-technology practices now in place at colleges across the country. Predictive analytics, plagiarism-detection software, facial-recognition technology, chatbots—all the things we talk about lately when we talk about ed tech—are built, maintained, and improved by extracting the work of the people who use the technology: the students.


What we take away from Perryman-Clark is that even prior to the use of operationalized plagiarism detection systems, racist cultural biases are a significant factor in the reporting of plagiarism. From Gillard, we are aware of how for-profit EdTech may amplify and extend those same racist cultural biases into digital regimes of surveillance. Therefore, our primary objective with reporting the predatory practices of paper mills is to prompt colleges, universities, and tech companies to shut down these exploitative practices and, building on Ritter’s (2006) idea of encouraging “first-year writing faculty to instead consider addressing the idea of plagiarism and authorship through alternative means that involve students as the principal investigators into the parameters of their own writing education” (p. 48), we see an opportunity to teach students to identify and understand these predatory practices as a component of their education.

What these attacks point to is a coercive campaign designed, first and foremost, to drive traffic from compromised college and university websites to paper mills as a means of deceiving students. There is growing concern over the ways students, in particular, are put at risk in the massive shift to online learning.12 Our goal, aligned with other members of our field, is for students to have the best environment for learning. This optimal environment includes writing assignments designed for deliberate practice and with iterative feedback loops and revision. But we also understand that this pedagogy takes time. Instructors who may have shifted to online learning suddenly in Spring 2020 might still be working to adapt while feeling their own stress from the pandemic and associated budget crisis, among other sources of stress. With both students and faculty rushed for time, bad actors have seized an opportunity to compromise college and university resources and take advantage of the conditions of our rapid shift to remote learning to exploit students. Furthermore, the issues we’ve discussed in this article mirror “rhet ops” strategies of disinformation and information warfare in digital environments, including the widespread use of botnets for the systematic compromise and rhetorical amplification of influence operations. This means that in most of these cases, such as SQL redirect and content injection, we believe that botnets are being used or hired by paper mills to conduct systematic influence operations against students through the compromise of university infrastructure.  


1 See for example documentation of individual instances of this *wisc.edu* compromise Twitter, 2018, the 2019 rpi.edu compromise Twitter, 2019, and the 2020 compromise of mtaloy.edu Twitter, 2020a (still active at the time of drafting this report, despite being reported in April), and the November 2020 compromise of Stanford's Behavior Design Lab Twitter, 2020b.
2 See, for example, this 2018 chat log from a wisc.edu redirect to essayoneday.com. Note here that “Nick” does not explicitly say that this is not the Writing Center.
3 There are many instances of legal cases involving paper mills over the last 50 years (see for example the 1972 case 69 Misc.2d 554332 N.Y.S.2d 343, The State of New York v. Saksniit), but to our limited legal knowledge this pattern of activity (electronic intrusion and systematic social engineering/compromised recomposition) differs from the focus of any previous legal case.
4 We do not know who exactly is responsible for many of these attacks, but the process is very similar to the WordPress Pharma Hacks. Pharma hacks inject spam content about pharmaceuticals onto Wordpress pages and search engine results. We do not know if companies themselves are directly responsible for these hacks, or if the work is hired out to a third party. We therefore use the term actors here.
5 See Eastern Washington University's link to essayontime.com.au PDF snapshot; A list of scholarships for female students; A list of scholarships for students with special needs; See also Glacier Peak High School's link to essayontime.com.au PDF snapshot; Scholarships for students with disabilities page.
6 See a now patched example from West Virginia University with more links in the report below.
7 We note that the dead links are residual evidence of an attack that was likely patched via a package update or directly addressed by a local administrator, but without an active cache (especially since the majority of SQL injection attacks are redirects), these results were coded as “Not active” in initial sample in this report. Since coding the initial data from Dec 2, 2020, some of the active links have been patched by IT administrators. The full data for all 14 domains is available here
8 For a more specific and detailed technical description of how SQL injections work, see https://www.w3schools.com/sql/sql_injection.asp
9 See the list in our Github repository.
10 See for example the April 2013 Conference on College Composition and Communication (CCCC) Intellectual Property Committee motion at the CCCC Business Meeting and reports linked at the bottom of the resolution
11 See Rebecca Moore Howard’s 2001 The Chronicle of Higher Education article “Forget About Policing Plagiarism. Just teach” that could just as easily be written today: students “...can get custom-written papers within 48 hours from online sites. Send in the assignment and a credit-card number, download the attachment when the finished paper comes back two days later, print it out, and presto! Assignment completed.”
12 See especially Chris Gilliard’s April 2018 article in The Chronicle of Higher Education “How Ed Tech Is Exploiting Students”




Bello, Rotimi-Williams, & Otobo, Firstman Noah. (2018). Conversion of website users to customers-The black hat SEO technique. International Journals of Advanced Research in Computer Science and Software Engineering, 8(6), 29–35.

CCCC Intellectual Property Caucus. (2013, April). Intellectual property-related motion at the CCCC business meeting. Conference on College Composition and Communication. https://cccc.ncte.org/cccc/committees/ip/ipreports/april-2013-report

Eaton, Sarah Elaine. (2018). Website hijacking by contract cheating companies. University of Calgary. https://prism.ucalgary.ca/ds2/stream/?#/documents/0c3594e7-6735-4dc2-b40f-5ac25cf1f404/page/1

Farooqi, Shehroze, Jourjon, Guillaume, Ikram, Muhammad, Kaafar, Mohamed Ali, De Cristofaro, Emiliano, Shafiq, Zubair, Friedman, Arik, & Zaffar, Fareed. (2017, April). Characterizing key stakeholders in an online black-hat marketplace. In 2017 APWG Symposium on Electronic Crime Research (eCrime) (pp. 17-27). IEEE.

Gilliard, Chris. (2018, 8 April). How ed tech is exploiting students. The Chronicle of Higher Education. https://www.chronicle.com/article/how-ed-tech-is-exploiting-students/

Howard, Rebecca Moore. (2001, November 16). Forget about policing plagiarism. Just teach. The Chronicle of Higher Education. http://www.chronicle.com/article/forget-about-policing-plagiarism-just-teach/

Howard, Rebecca Moore. (2007). Understanding internet plagiarism. Computers and Composition, 24(1), 3–15.

Liston, Tom. (2016, September 15). Wait... wut? Your Fly Is Open. https://yourflyisopen.com/blog/2016/09/14/wait-dot-dot-dot-wut/

Maupin, Marilyn. (2015, July 15). PDF link farms: How the latest effective blackhat SEO tactic got killed, instantly. Ten Scores Daily. https://tenscores.com/daily/failures/blackhat-seo-201507150700/

Pemberton, Michael A. (1992). Threshold of desperation: Winning the fight against term paper mills. Writing Instructor, 11(3), 143–152.

Perryman-Clark, Staci. (2018). Creating a united front: A writing program administrator’s institutional investment in language rights for composition students. In Shirley Wilson Logan & Wayne H. Slater (Eds.), Academic and professional writing in an age of accountability (pp. 168–184). Southern Illinois University Press.

Ridolfo, Jim, & Hart-Davidson, William (Eds.). (2019). Rhet ops: Rhetoric and information warfare. University of Pittsburgh Press.

Ritter, Kelly. (2005). The economics of authorship: Online paper mills, student writers, and first-year composition. College Composition and Communication, 56(4), 601–631.

Ritter, Kelly. (2006). Buying in, selling short: A pedagogy against the rhetoric of online paper mills. Pedagogy, 6(1), 25–51.

Ross, John. (2021, March 31). Essay mills “infiltrating university websites.” Times Higher Education. https://www.timeshighereducation.com/news/essay-mills-infiltrating-university-websites

Tertiary Education Quality and Standards Agency. (2021a, April 8). Advisory statement: Cyber security concerns–Commercial cheating services. Tertiary Education Quality and Standards Agency. https://www.teqsa.gov.au/advisory-statement-cyber-security-concerns-commercial-cheating-services

Tertiary Education Quality and Standards Agency. (2021b, April 9). TEQSA alerts higher education sector about new cyber threat. Tertiary Education Quality and Standards Agency. https://www.teqsa.gov.au/latest-news/articles/teqsa-alerts-higher-education-sector-about-new-cyber-threat

W3Schools. (2021, April 210). SQL Injection. https://www.w3schools.com/sql/sql_injection.asp

WordPress Security Expert. (2018, August 9). WordPress pharma hacking – What it is & how to fix it? WP Hacked Help Blog. https://secure.wphackedhelp.com/blog/wordpress-pharma-hack-fix/

Xu, Haitao, Liu, Daiping, Wang, Haining, & Stavrou, Angelos. (2015, May). E-commerce reputation manipulation: The emergence of reputation-escalation-as-a-service. In WWW ’15: Proceedings of the 24th International Conference on World Wide Web (pp. 1296–1306). https://doi.org/10.1145/2736277.2741650

Created by matthew. Last Modification: Sunday December 19, 2021 20:22:43 GMT-0000 by doug.