WordPress Plugin Spam, part 2

In the post Interesting new kind of WordPress Plugin Spam I reported about a site which offers WordPress plugins to attract the careless user to a scam site.

Since then Rahul (the man behind the scam) wasn’t inactive. A German user reported problems with his website which could easily be tracked down to a problem with an installed plugin. After a bit of research a plugin named “Visitor Stats” could be accused.

A quick peek at the known site confirmed my suspicion: the plugin is offered by “111 ways to make money”. Interestingly the site itself does not off the plugin (anymore). OK, maybe Rahul’s forgot to upload it. But where did the user got the plugin?


I entered the plugin’s name into my favourite search engine and was suprised:

Al right, this seems to be the original plugin which was altered by Rahul. I downloaded the file to do a diff to see what he had changed. To my surprise this IS the infected file, in the official repository. OMFG!
I seem not to be the first who has detected this, there are some posts in the support forum.

Let’s take a look at the code.

Disecting the enemy

In the old spam plugins the header looked very suspicious but with the use of a url shortener it now looks a bit more conclusive:

Of course those URLs lead to the known scam site but hey, who’s checking them before clicking them, we got used to clicking tinyurl links.

Rahul has learned some WordPress plugin skills, too:

In line 30 he declares a variable and actually adds a comment. How nice of him! Then he declares a function which outputs some JavaScript. The function will be called by adding a filter and an action hook in the sidebar and the footer. Are they really called? As far as I know there is no filter hook called get_sidebar, it’s an action hook. Well, Rahul does not appear that smart anymore to me.

So what’s the JavaScript he plants into the page do? It pulls an advertisment from linkbucks.com which is displayed in the footer since the get_sidebar hook does not work. That’s a new business model since I last reviewed this plugins.

After that he uses some iframes:

Now, this is clever! Vitbuzz.com seems to be a community where college students can connect (though it’s rarely populated). This site is badly coded so you can abuse the service to cryptify the links.

Here he adds a a paragraph and hides it by setting the font-size to “0%”. Though this should be enough he adds some more CSS code. I guess he’s not actually sure what he does and simply cut and pasted the code from somewhere else.

Once again he tries to add the JavaScript code to the page, wasn’t once enough? In the end Rahul has to change the plugin path since the original plugin is poorly designed:

I think Rahul will keep us busy with new ideas how to attract people to his site. I’ll keep you informed if I’m aware of any newly infected plugins. Hopefully they will not end up in the official repository again. People will lose confidence in the repository and in WordPress as a whole.
Unfortunately the plugin pages does not provide any contact person who could take care of the problem. Maybe it’s time to create a group of people that scans new plugins for such scams or to create some kind of scanner who checks new plugins for known scam site and code. Any volunteers?

BTW: the original plugin is called “wp-visitors” (http://wordpress.org/extend/plugins/wp-visitors/).

Leave a Reply

Your email address will not be published. Required fields are marked *