Security researchers from US firm Sucuri are warning WordPress site owners against installing pirated themes and plugins, especially from the GoMafia.com website.
The company’s engineers report that during their most recent site cleaning operations, one of them discovered some encoded code in the footer of one of their client’s sites, loaded via a premium WordPress plugin.
The crooks were first inserting four HTML links to four different websites. CSS code was hiding these links from the human eye, but not from search engines. The obvious reason of this tactic was to add these links to all sites on which the plugin was being loaded, in an attempt to boost search engine ratings for the four sites.
One of these links was GoMafia.com while the other three were all links to websites whichwere registered by the same person, an Indian developer from Tamil Nadu named Sathish Kumar, working for a Web development company named Kenzest(.com).
Sucuri also discovered that these four websites were running on the same server, also shared by Kenzest.
Crooks were also loading unwanted, malicious ads
Furthermore, the malicious footer script would also load a Google analytics code, which the previous four websites also shared among them.
Last but not least, the same footer code would also embed ads on the infected site. These ads brought revenue to the crooks, were very intrusive, sometimes badgering the user, and even linking to questionable, if not pure dangerous products.
Taking look at the source of all this malicious code, the GoMafia.com website, Sucuri understood how was all this possible. GoMafia is a portal that proclaims to provide access to nulled (pirated) WordPress themes and plugins, from WordPress marketplaces such as CodeCanyon and ThemeForest.
Webmasters should avoid using nulled scripts
It was pretty easy to reach the conclusion that Kumar had created GoMafia to distribute nulled WordPress plugins and themes that contained his malicious code.
Users downloading content from GoMafia would end up with malvertising and hidden black hat SEO on their sites.
Seeing that Kenzest was offering SEO services on its website, Kumar was probably in the process of building his black hat SEO emporium, before replacing the links to his own websites (for nulled software, interior design, coupons and adult material) with anything his clients wanted to boost in search rankings.