Wordfence has taken the unusual step of naming the individual behind a 4.5 year spam campaign targeting WordPress plugins. Details of the individual, his attacks and the campaign are spread over three separate blog posts by Mark Maunder, CEO, Wordfence. The first focused on a specific spam campaign and the Display Widgets plugin.
The second focused on the individual behind all of this, Mason Soiza. Naming an individual is unusual and rarely occurs unless the company has irrefutable evidence,
Who has been attacking WordPress plugins?
Maunder has laid out the evidence across these posts. Soiza purchased Display Widgets for $15,000. Within five weeks there were two versions of Display Widgets. The first signs of malicious code were in the second version. This is a common trick on app stores. Get an app approved, deliver stable safe code and then insert the malicious code. The malicious code was spotted and Display Widgets removed from the repository. One fix later, a change to the code and it was back in the repository with different malicious code. The cycle is still being repeated with users reporting that they have been affected.
Compounding the situation is that this is not the first time Soiza has done this. Maunder says: “..we are publishing research showing a coordinated effort by the same spammer that targeted WordPress plugins over a 4.5-year period. In some cases, site owners opted in to a vague agreement that didn’t make it clear that their sites would be serving spam; in other cases, plugins were simply “backdoored” to allow posting without a site owner’s permission.”
What other Plugins are affected?
There are at least nine plugins that Wordfence has linked to Soiza’s scam network. Maunder says that the malicious code in them has now been neutralised or they have been removed from the repository. The list is:
- 404 to 301: Safe
- Display Widgets Plugin: Safe, but no longer maintained. Use Jetpack’s Widget Visibility Module instead.
- WP Slimstat: Safe
- WP Maintenance Mode: Safe
- Menu Image: Safe
- NewStatPress: Safe
- Financial Calculator Plugin: Safe. Never included malicious code, but Soiza did have access for some time this year.
- Weptile Image: Removed from repository
- No Comment: Removed from repository
4.5 years is a long time for anyone to run a scam without being detected. While Maunder has identified and named these nine, it is reasonable to assume others have been affected. Not all WordPress plugins are available through the repository. Developers write their own and some website companies have purchased plugins for specific needs. These may not have been effectively tested leading to security risks.
Soiza has also used several companies and email addresses, some in different names. This means that this is not accidental. It is a live and active threat which Maunder estimates has affected over 200,000 websites. It will be interesting to see how many more plugins come to light now that this whole issue is becoming more public.
In his blog post, Maunder lists the history and status of each plugin. This includes the type of attack, the domains used to launch attacks and whether Maunder was able to contact the authors.
What does this mean
This is an issue that should have every WordPress site on alert. Many sites are already at risk due to lack of skills and coding experience. These site owners rightfully rely on the WordPress Repository to provide them with a trusted experience. The trouble is that the repository is dependent on third parties spotting issues. However, it is very responsive when things are reported although, as seen with Display Widgets, a smart hacker can get around the issue by reissuing an “updated” version.
There is another challenge here and one that Maunder also mentions and that is reputation. In some of these attacks, people were persuaded to add code by a malicious actor. That code allowed the malicious actor to inject spam onto sites. It doesn’t have to stop there. There is nothing to stop that spam containing a redirect to an exploit kit. Those who allow this to happen often lack the skills and knowledge to detect and remediate the bad code. In almost every case they will have acted in good faith but when it all turns nasty, it is their reputation that is affected.
Website owners need to think twice before entering into these deals. They should carefully check out the people asking them to do a deal over code. They should get someone they trust to check out the code. Such attacks don’t need to be inside a plugin. An advert for a site can contain hidden malicious code. A linkback could take users to a webpage that looks safe but has hidden frames. These allow drive-by attacks to be conducted.
This is not the last we will hear about this type of attack. If you use plugins make sure you check them and have a reliable patching process for when things go wrong.