Leaders and CEOsMarketing Madness

Warning: Fake Scam WordPress Plugin Causing Huge Headache

Redirecting victimized site visitors to various scam and ad sites.

A URL shortener, a fake plug-in and a malicious popuplink.js file are the three key ingredients found in a WordPress website infection campaign that since July has been redirecting victimized site visitors to various scam and ad sites.

Sucuri, whose research team observed the scam, reveals in an Aug. 17 blog post that up to 3,000 sites contained the popuplink.js malware at one point – a number based on findings gleaned from the digital marketing and affiliate marketing research tool PublicWWW.

The popuplink.js code itself is designed to hook the “onclick” event whenever a new visitor clicks on any link element on an infected web page, according to senior malware researcher Denis Sinegubko, who penned the post. When this occurs, either a new tab is opened with the actual link that was clicked, or the original tab obeys the malicious script’s command and loads a URL contained within its code.

This commences a chain of redirects that involve three shortened links created by the tiny.cc URL shortener. Ultimately, the website visitor winds up viewing a sketchy page containing ads or a flat-out scam such as a fake tech support service.

Sucuri says that the attack is a variation of an infection technique its researchers discovered last February, which involved the malicious plug-ins “injectbody” and “injectscr” and resulted in the creation of annoying pop-ups and pop-under ads.

The idea, explains Sinegubko, is to “inject the malicious code and make the plug-in invisible in the WordPress admin interface.”

In this more recent campaign, certain website infections have used a plug-in called “index” with a corresponding variable named “wp_cfg_index” while others have employed a plug-in named “wp_update” with a variable called “wp_cfg_wp_update”.

The blog post further notes that infected pages typically contain two scripts within theportion of their pages, one of which contains the name of the fake plug-in, and another that includes the name of the variable.

The malicious plug-ins are especially devilish in that their code comments are designed to look legitimate, and they also peek at their own user configuration settings to determine if the current visitor is a site admin – in which case, they will hide their activity.

The plug-ins also use cookies to prevent an injection or redirect for the same visitor within a 100-minute time span. Moreover, “if the visitor is the site administrator the malware will not be injected, and the cookie will be set for 100 years,” added Sinegubko. “A cookie with such a long duration prevents site admins from finding the malware even if they log out from the site. Of course, this only works as long as they use the same browser and don’t clean cookies or use incognito sessions.”

To combat the threat, Sucuri recommended that site admins remove fake plug-ins directly from the disk, delete unknown users with admin privileges, and change their passwords.

Show More

Pesach Lattin

Pesach "Pace" Lattin is one of the top experts in interactive advertising, affiliate marketing. Pace Lattin is known for his dedication to ethics in marketing, and focus on compliance and fraud in the industry, and has written numerous articles for publications from MediaPost, ClickZ, ADOTAS and his own blogs.

Related Articles

What's your opinion?

Close