There’s seems to be a new way of luring users of WordPress to spam sites: WordPress Plugin Spam.
Like most other plugin authors I regularly check what others are saying about them; actually I have a Google Alert set on the names). The other day I received an an e-mail from this service telling me that there is a new fork of my pagebar plugin called Advanced pagebar. Hey cool, some one build a new plugin based on my code.
The plugin was called “Advance Pagebar – New way to navigate Pages …”. Surprisingly the link “http://wordpress.org/extend/plugins/advance-pagebar/” did not work. What the heck?
After consulting my favourite search engine I finally grabbed a copy of the suspicious plugin (link omitted intentionally).
The “author” of this new plugin changed not much. First he adapted the plugin header:
Original header:
Plugin Name: Pagebar2 Plugin URI: http: //www.elektroelch.de/hacks/wp/pagebar Description: Adds an advanced page navigation to WordPress. Version: 2.59 Author: Lutz Schröer Author URI: http://elektroelch.de/blog
Changed header:
Plugin Name: Advance Pagebar Plugin URI: http://***.com/advance- pagebar/ Description: For using the plugin, read the Advance PagebarInstruction Page .Adds an advanced page navigation to WordPress. Version: 6.143.3 Author: Lutz Schröer Author URI: http://***.com/
(The three stars was the original address.)
Great stuff, he didn’t even change my name! By using the high version number “6.143.3” the spammer wants to pretend that it’s a mature plugin.
Additionally he changed the readme.txt
file:
Original:
=== pagebar === Contributors: Lutz Schroeer Donate link: http://elektroelch.de Tags: navigation, navi, page, comments Requires at least: 2.7 Tested up to: 3.01 Stable tag: trunk
Fake:
=== Advance Pagebar - New Way to Navigate Pages === Contributors: Lutz Schroeer Donate link: http://111waystomakemoney.com/donate/ Tags: admin, plugin, footer, links, copyright, administration, blog,Google Adsense, WordPress,Plugin,widget,post,plugin,admin,sidebar,comments,images,twitter,page,google,lin ks,image,ad,admin,administration,ads,adsense,advertising,affiliate,AJAX,amazon,analytics,a nti-spam,api,archive,atom,audio,authentication,author,automatic,Avatar,blog,blogroll,book, bookmark,bookmarking,bookmarks,buddypress,button,calendar,captcha,categories,category ,cms,code,comment,comments,community,contact,content,counter,CSS,custom,dashboard ,database,date,del.icio.us,delicious,Digg,edit,editor,email,embed,event,events,excerpt,Fac ebook,feed,feeds,filter,flash,flickr,form,Formatting,gallery,google,google,maps,html,image,im ages,integration,iphone,javascript,jquery,language,lightbox,link,links,list,login,mail,manage, maps,media,menu,meta,mobile,mp3,music,myspace,navigation,News,nofollow,notification,p age,pages,password,paypal,performance,permalink,photo,photos,php,picture,pictures,plugi ,plugins,Post,posts,profile,quotes,random,Reddit,redirect,register,registration,related,rss,sc roll,search,security,seo,Share,sharing,shortcode,sidebar,simple,slideshow,social,social,book marking,social,media,spam,statistics,stats,Style,tag,tags,technorati,template,text,theme,t hemes,thumbnail,time,TinyMCE,title,tracking,tweet,twitter,update,upload,url,user,users,vid eo,widget,widgets,wordpress,wpmu,xml,yahoo,youtube navigation, navi, page, comments Requires at least: 2.7 Tested up to: 3.01 Stable tag: trunk
Hey, that guy must me an SEO expert (No offense, Yoast!).
Original:
Pagebar adds a nice page bar to your blog posts, multipaged posts and paged comments:
Fake:
Pagebar adds a nice page bar to your blog posts, multipaged posts For detailed description of the plugin visit plugin page at [Advance Pagebar](http: //111waystomakemoney.com/advance-pagebar/).
The spammer also added additional text to the readme.txt
**Demo:** demo: [Advance Pagebar Demo](http: //***.com/advance-pagebar/). Warm Regards, Rahul [Advance Pagebar](http://***.com/advance- pagebar/).
What a nice guy: Warm Regards! And his name is Rahul? That’s Indian, isn’t it?
Finally he changed the changelog:
== Changelog == = 6.143.3 = * initial release
Version 6.142.3 is the initial release? Sure!
If you look at other files you can see that the spammer simply changed all occurrences of pagebar2
with Advance pagebar
Original:
if (!empty($_POST ['pagebar2update'])) {
Fake:
if (!empty($_POST ['Advance Pagebarupdate'])) {
The spammer also like to put some links into the settings and he also got a donation page. How cute!
For More Useful Plugins Visit:WordPress Plugins
If u like the plugin please Donate:Plugin Donation Page
For Instructions Visit:Plugin Page
He actually put some work into the fake plugin! At the end he added an index.html
file to the plugin directory, for whatever reason:
WordPress Advance Pagebar - New Way To Navigate Pages PluginAdvance Pagebar - New Way To Navigate Pages Plugin
Pagebar adds a nice page bar to your blog posts, multipaged posts For detailed description of the plugin visit plugin page at Advance Pagebar. Author: Lutz Schroeer Tags: ad, admin, administration, ads, adsense, advertising, affiliate, AJAX, amazon, analytics, anti-spam, api, archive, atom, audio, authentication, author, automatic, Avatar, blog, blogroll, book, bookmark, bookmarking, bookmarks, buddypress, button, calendar, captcha, categories, category, cms, code, comment, comments, community, contact, content, copyright, counter, CSS, custom, dashboard, database, date, del.icio.us, Digg, edit, editor, email, embed, event, events, excerpt, Facebook, feed, feeds, filter, flash, flickr, footer, form, Formatting, gallery, google, google adsense, html, image, images, integration, iphone, javascript, jquery, language, lightbox, link, links, list, login, mail, manage, maps, media, menu, meta, mobile, mp3, music, myspace, navi, navigation, News, nofollow, notification, page, pages, password, paypal, performance, permalink, photo, photos, php, picture, pictures, plugin, plugins, Post, posts, profile, quotes, random, Reddit, redirect, register, registration, related, rss, scroll, search, security, seo, Share, sharing, shortcode, sidebar, simple, slideshow, social, spam, statistics, stats, Style, tag, tags, technorati, template, text, theme, themes, thumbnail, time, TinyMCE, title, tracking, tweet, twitter, update, upload, url, user, users, video, widget, widgets, wordpress, wpmu, xml, yahoo, youtube navigation Click for Beautiful WordPress Plugins
There a link to the WordPress plugins page. Really? No! (Therefore I added three strokes to the domain.) The spammer actually registered a domain to perfect his fraud. This page lists some other plugins which are infected the same way but their names aren’t changed. What an honour for pagebar! I think I should inform the authors about this spam attack.
The spam page
Brave as I am I visited the site which the spammer links to:
Looks like a regular site about WordPress plugins. The source of the page does not contain any suspicious JavaScript or Flash. Further down there is even real content:
Looks like actual content. As you can see, there are even some comments on the posts:
- John says:
September 8, 2010 at 8:27 amhey man, nice blog…really like it and added it to bookmarks. keep up with good work
-
Anton Dirksma says:
September 8, 2010 at 10:46 amHey, very nice website. I actually came across this on Bing, and I am happy I did. I will definately be coming back here more often. Wish I could add to the conversation and bring a bit more to the table, but am just absorbing as much info as I can at the moment. Thank You
The list goes on like this. On the first look the comments look genuine but if you inspect the content and the commenting times a bit closer you’ll realize that these were created automatically.
Backstage
So who’s behind this? Let’s consult nic.com:
-
Registrant:
111waystomakemoneyhyderabad
india
hyderabad, Andhra Pradesh 500016
IndiaRegistered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: 111WAYSTOMAKEMONEY.COM
Created on: 30-Aug-10
Expires on: 30-Aug-11
Last Updated on: 30-Aug-10
As I suspected it’s a guy from India (Rahul is a very common name in Bollywood films). It gets really funny if you enter the address in Google maps: it’s the Begumpet Airport. LOL!
Conclusion
Altogether it’s still spam but this is a small step further. The common WP user does not expect spam inside of plugins and, if I get the GPL right, there’s nothing you can do about it. All of the captured plugins are released under the GPL.Everybody can do almost anything with it as long as he re-releases it under the GPL. This spammer does nothing illegal and even if he would, how are the chances to stop him? NIL. The only thing we can do is to keep an eye on the site and to warn the affected original authors.
Wait, there’s another thing we can do: Thank the team of Automattic for removing such spam plugins from the official plugin site rapidly!
Leave a Reply