Wednesday, April 1, 2020

Warning: Fake Scam WordPress Plugin Causing Huge Headache

Must read

Does Coronavirus Excuse Non-Performance Under a Contract?

The Coronavirus outbreak has raised a number of issues relating to contractual performance obligations. An excuse for non-performance of contractual obligations may...

Ways to Avoid Spam Traps in Email Marketing

New research by Trustwave reveals that 26 per cent of spam is infected with malware. As a result spam filters are getting...

How to do Email Marketing During Coronovirus

During a crisis, your email communication can make or break your business. Even more importantly, it can help, hurt, or confuse people.  You...

Feds Go After Coronavirus Scammers including Jim Bakker

The Federal Trade Commission and Federal Drug Administration took action by sending warning letters to several companies for allegedly selling products using...
Pesach Lattin
Pesach Lattinhttp://pacevegas.com
Pesach "Pace" Lattin is one of the top experts in interactive advertising, affiliate marketing. Pace Lattin is known for his dedication to ethics in marketing, and focus on compliance and fraud in the industry, and has written numerous articles for publications from MediaPost, ClickZ, ADOTAS and his own blogs.

A URL shortener, a fake plug-in and a malicious popuplink.js file are the three key ingredients found in a WordPress website infection campaign that since July has been redirecting victimized site visitors to various scam and ad sites.

Sucuri, whose research team observed the scam, reveals in an Aug. 17 blog post that up to 3,000 sites contained the popuplink.js malware at one point – a number based on findings gleaned from the digital marketing and affiliate marketing research tool PublicWWW.

The popuplink.js code itself is designed to hook the “onclick” event whenever a new visitor clicks on any link element on an infected web page, according to senior malware researcher Denis Sinegubko, who penned the post. When this occurs, either a new tab is opened with the actual link that was clicked, or the original tab obeys the malicious script’s command and loads a URL contained within its code.

This commences a chain of redirects that involve three shortened links created by the tiny.cc URL shortener. Ultimately, the website visitor winds up viewing a sketchy page containing ads or a flat-out scam such as a fake tech support service.

Sucuri says that the attack is a variation of an infection technique its researchers discovered last February, which involved the malicious plug-ins “injectbody” and “injectscr” and resulted in the creation of annoying pop-ups and pop-under ads.

The idea, explains Sinegubko, is to “inject the malicious code and make the plug-in invisible in the WordPress admin interface.”

In this more recent campaign, certain website infections have used a plug-in called “index” with a corresponding variable named “wp_cfg_index” while others have employed a plug-in named “wp_update” with a variable called “wp_cfg_wp_update”.

The blog post further notes that infected pages typically contain two scripts within theportion of their pages, one of which contains the name of the fake plug-in, and another that includes the name of the variable.

The malicious plug-ins are especially devilish in that their code comments are designed to look legitimate, and they also peek at their own user configuration settings to determine if the current visitor is a site admin – in which case, they will hide their activity.

The plug-ins also use cookies to prevent an injection or redirect for the same visitor within a 100-minute time span. Moreover, “if the visitor is the site administrator the malware will not be injected, and the cookie will be set for 100 years,” added Sinegubko. “A cookie with such a long duration prevents site admins from finding the malware even if they log out from the site. Of course, this only works as long as they use the same browser and don’t clean cookies or use incognito sessions.”

To combat the threat, Sucuri recommended that site admins remove fake plug-ins directly from the disk, delete unknown users with admin privileges, and change their passwords.

- Advertisement -

More articles

What's your opinion?

- Advertisement -

Latest article

Does Coronavirus Excuse Non-Performance Under a Contract?

The Coronavirus outbreak has raised a number of issues relating to contractual performance obligations. An excuse for non-performance of contractual obligations may...

Ways to Avoid Spam Traps in Email Marketing

New research by Trustwave reveals that 26 per cent of spam is infected with malware. As a result spam filters are getting...

How to do Email Marketing During Coronovirus

During a crisis, your email communication can make or break your business. Even more importantly, it can help, hurt, or confuse people.  You...

Feds Go After Coronavirus Scammers including Jim Bakker

The Federal Trade Commission and Federal Drug Administration took action by sending warning letters to several companies for allegedly selling products using...

Affiliate Vs Partner – What’s in a Name?

There has been a lot of discussion in social forums, blog posts and conference sessions about the use of the term affiliate and/or partner marketing. 'Affiliate vs Partner' was even the Keynote panel session at Affiliate Summit West this year - and even that was inconclusive.