Interesting new kind of WordPress Plugin Spam

There’s seems to be a new way of luring users of WordPress to spam sites: WordPress Plugin Spam.

Like most other plugin authors I regularly check what others are saying about them; actually I have a Google Alert set on the names). The other day I received an an e-mail from this service telling me that there is a new fork of my pagebar plugin called Advanced pagebar. Hey cool, some one build a new plugin based on my code.

The plugin was called  “Advance Pagebar – New way to navigate Pages …”. Surprisingly the link “http://wordpress.org/extend/plugins/advance-pagebar/” did not work. What the heck?

After consulting my favourite search engine I finally grabbed a copy of the suspicious plugin (link omitted intentionally).

The “author” of this new plugin changed not much. First he adapted the plugin header:

Original header:

Changed header:

(The three stars was the original address.)

Great stuff, he didn’t even change my name! By using the high version number “6.143.3″ the spammer wants to pretend that it’s a mature plugin.

Additionally he changed the readme.txt file:

Original:

Fake:

Hey, that guy must me an SEO expert (No offense, Yoast!).

Original:

Fake:

The spammer also added additional text to the readme.txt

What a nice guy: Warm Regards! And his name is Rahul? That’s Indian, isn’t it?

Finally he changed the changelog:

Version 6.142.3 is the initial release? Sure!

If you look at other files you can see that the spammer simply changed all occurrences of pagebar2 with Advance pagebar

Original:

Fake:

The spammer also like to put some links into the settings and he also got a donation page. How cute!

He actually put some work into the fake plugin! At the end he added an index.html file to the plugin directory, for whatever reason:

There a link to the WordPress plugins page. Really? No! (Therefore I added three strokes to the domain.) The spammer actually registered a domain to perfect his fraud. This page lists some other plugins which are infected the same way but their names aren’t changed. What an honour for pagebar! I think I should inform the authors about this spam attack.

The spam page

Brave as I am I visited the site which the spammer links to:

Looks like a regular site about WordPress plugins. The source of the page does not contain any suspicious JavaScript or Flash. Further down there is even real content:

Looks like actual content. As you can see, there are even some comments on the posts:

  • John says:
    September 8, 2010 at 8:27 am

    hey man, nice blog…really like it and added it to bookmarks. keep up with good work

  • Anton Dirksma says:
    September 8, 2010 at 10:46 am

    Hey, very nice website. I actually came across this on Bing, and I am happy I did. I will definately be coming back here more often. Wish I could add to the conversation and bring a bit more to the table, but am just absorbing as much info as I can at the moment. Thank You


The list goes on like this. On the first look the comments look genuine but if you inspect the content and the commenting times a bit closer you’ll realize that these were created automatically.

Backstage

So who’s behind this? Let’s consult nic.com:

Registrant:
111waystomakemoney

hyderabad
india
hyderabad, Andhra Pradesh 500016
India

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: 111WAYSTOMAKEMONEY.COM
Created on: 30-Aug-10
Expires on: 30-Aug-11
Last Updated on: 30-Aug-10

As I suspected it’s a guy from India (Rahul is a very common name in Bollywood films). It gets really funny if you enter the address in Google maps: it’s the Begumpet Airport. LOL!

Conclusion

Altogether it’s still spam but this is a small step further. The common WP user does not expect spam inside of plugins and, if I get the GPL right, there’s nothing you can do about it. All of the captured plugins are released under the GPL.Everybody can do almost anything with it as long as he re-releases it under the GPL. This spammer does nothing illegal and even if he would, how are the chances to stop him? NIL. The only thing we can do is to keep an eye on the site and to warn the affected original authors.

Wait, there’s another thing we can do: Thank the team of Automattic for removing such spam plugins from the official plugin site rapidly!

Comments

  1. lisa white says:

    This fucker got me!

    how do i remove it from my blog? Just delete the plugins?

  2. Yeah, great post. The guy got my plugin too (WP Greet Box). I’m thinking of adding some kind of backdoor that will only trigger on unauthorized uses. But then that would put users at risk, so I don’t want to do that. Now… if only he uses one of our plugins on his own site, we can backdoor the bastard and kill his entire site from the inside-out. Just a thought…

Speak Your Mind

*