We recently published an article about an interesting case where a very popular WordPress Plugin (Social Media Widget), with more than 900,000 downloads, got sold and the new owners decided to use their big audience and inject spam on all the sites using the plugin.
If you read the post, you will see how they went about injecting those “pay day loan” SPAM links to paydaypam.co.uk. What’s even more scary is that in one day, the number of backlinks to paydaypam.co.uk, increased from 0 to almost 450k, according to ahrefs.com:
This gives you an idea of how big a targeted SEO Spam attack can be.
Spam SEO Attacks on Joomla sites
Unfortunately, this story is not new. One of our readers pointed us to a very similar case that happened in the Joomla ecosystem just a few weeks before. In similar fashion, the campaign was able to infiltrate more than 20,000 sites. The developers involved were from many popular Joomla extensions:
iNowWeb.com (author: Sharif Mamdouh):
- AddThis For Joomla!
- Share This for Joomla!
- iNowSlider (mod_iNowSlider)
- iNow Twitter Widget (mod_TwitterWidget)
- BrainyQuote for Joomla! (mod_JoomlaBrainyQuote)
- Quotes By keyWord! (mod_JoomlaQuotes)
- iNow Wikio (mod_JoomlaWikio)
- iNow Twitter (mod_TwitterForJoomla)
- QuickJump for Joomla! (mod_quickjump)
Autson.com (author: xing):
- VirtueMart Advanced Search
- Skitter Slideshow
- FaceBook Slider
- Twitter Friends & Followers
- Flying Tweets
- Autson Twitter Search
- Twitter Quote
- FaceBook Show
- Plimun Twitter Ticker
- Twitter Show
- Nivo Slider
These guys tried to leverage their user base to inject the same type of SPAM seo (pay day loans) into any site running their extension[s]. In this case, the hidden backlinks were being called from:
This allowed the extension developers to control and choose what to be displayed on any site using their software. The Joomla security team also reacted fast and banned these developers and their associated extensions.
Restricting the usage of Extensions
We have been talking about this for a while, but it is important to repeat. Limit your usage of extensions (or plugins), along with all other third party components, and only use from trusted sources. More importantly, only if you need the said functionality. The less plugins you have configured in your environment, the less chances you have to be caught in a similar situation. The last thing you want is to become part of a SPAM botnet.
If you are unsure if your site is showing those spammy keywords, you can scan it for free here: http://sitecheck.sucuri.net