Security researchers from US firm Sucuri are warning WordPress site owners against installing pirated themes and plugins, especially from the website.

The company’s engineers report that during their most recent site cleaning operations, one of them discovered some encoded code in the footer of one of their client’s sites, loaded via a premium WordPress plugin.

JavaScript file secretly loading black hat SEO spam

Unscrambling the data, this line of encoded PHP was loading a JavaScript file from the GoMafia server. A close look at this file revealed that the crooks behind this campaign were embedding several items on the victim’s site, behind his back.

The crooks were first inserting four HTML links to four different websites. CSS code was hiding these links from the human eye, but not from search engines. The obvious reason of this tactic was to add these links to all sites on which the plugin was being loaded, in an attempt to boost search engine ratings for the four sites.

One of these links was while the other three were all links to websites which Sucuri engineers say were registered by the same person, an Indian developer from Tamil Nadu named Sathish Kumar, working for a Web development company named Kenzest(.com).

Sucuri also discovered that these four websites were running on the same server, also shared by Kenzest.

Crooks were also loading unwanted, malicious ads

Furthermore, the malicious footer script would also load a Google analytics code, which the previous four websites also shared among them.

Last but not least, the same footer code would also embed ads on the infected site. These ads brought revenue to the crooks, were very intrusive, sometimes badgering the user, and even linking to questionable, if not pure dangerous products.

Taking look at the source of all this malicious code, the website, Sucuri understood how was all this possible. GoMafia is a portal that proclaims to provide access to nulled (pirated) WordPress themes and plugins, from WordPress marketplaces such as CodeCanyon and ThemeForest.

Webmasters should avoid using nulled scripts

It was pretty easy to reach the conclusion that Kumar had created GoMafia to distribute nulled WordPress plugins and themes that contained his malicious code.

Users downloading content from GoMafia would end up with malvertising and hidden black hat SEO on their sites.

Kumar didn’t distribute a backdoor with his nulled plugins, unlike another similar Indian developer caught doing something similar. Nevertheless, by changing a few lines of code in the dynamically loaded JavaScript file inserted in the infected site’s footers, he could have easily pushed anything he wanted to those sites.

Seeing that Kenzest was offering SEO services on its website, Kumar was probably in the process of building his black hat SEO emporium, before replacing the links to his own websites (for nulled software, interior design, coupons and adult material) with anything his clients wanted to boost in search rankings.

The decoded malicious code embedded in the footer of infected sites

The decoded malicious code embedded in the footer of infected sites

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲