Every day we face countless cases of sites getting compromised and infected by an attacker. From there, the sites can be used for various operations like spam campaigns, malware spreading or simply to damage your SEO ranking among other events.
The threat may not always come from outside though. There are occasions where we are indirectly the ones responsible for the infection and may never find out until we get blacklisted by a search engine, or alerted of malicious code from our users.
There are many things website owners unintentionally do that can cause damage to their own website, such as:
- Adding ad networks that then end up spreading malware to your visitors;
- Installing plugins that are vulnerable or are obtained from questionable sources that may come with backdoors;
- Not monitoring the existing plugins on your website as one of them may become outdated or even be removed from the list of official plugins due to some issues found in the plugin.
Many times when a plugin makes use of external assets, like a third-party site, to hold information and the plugin doesn’t get maintained, those external sites end up being closed or bought by organizations. They don’t always have the user’s best interest in mind and may all of a sudden start distributing malware.
The plugin itself may also be bought by a company in which an update can start to spread malware. A good example of this is the SweetCaptcha plugin which caused popups on WordPress sites back in 2015. This time we look at a case where a plugin abuses websites to gain SEO rankings for an external website.
Shortened URLs for Googlebot
Recently, we investigated a case where the website was having a goo.gl link injected on its content. Goo.gl is a popular Google URL Shortener owned by Google to create short URLs.
In this case, the goo.gl links only showed when the visitor had a GoogleBot user agent. This user-agent is generally reserved for the Google search engine crawler, which scans web pages and links to help Google decide where to rank websites in its search engine. Our free remote website scanner is able to emulate the GoogleBot user agent to detect conditional malware that is meant to show only for GoogleBot, and not real visitors. This type of conditional malware helps avoid detection by webmasters.
The link itself (and the final URL it leads to) don’t seem malicious, nor does it have any clear indication of being malicious. It appears to be just a regular website . However, the final URL has no relation to the compromised website and it only displays when the user agent is GoogleBot, so this makes it very suspicious.
Upon further analysis, we found that the goo.gl link came from a plugin called “facebook-this”, more specifically, the following block of code from within its file.
Keeping it in non-technical terms, the code just fetches information from hxxtp://api.tqj[.]us/v3/link/creditbyversion only if the user agent is from a search engine bot, or if the visitor’s IP matches a specific IP range that belongs to Google.
The malware ensures that it’s only triggered when Google or other search engines visit the site.
Getting a little bit more technical now, let’s take a look at this plugin.
The plugin’s name is “Facebook-this”, named only “Facebook” inside the WordPress dashboard and its description states:
A Facebook plugin that allows visitors to like or share on Facebook! Everyone uses Facebook and so providing your Facebook visitors a method to like your page, post, or blog is important. Easily add a Facebook like button in one of many formats on your site. Don’t miss out on opportunities to reach the Facebook audience, there is over 1 billion Facebook users!
That seems pretty standard and, upon looking at the rest of the plugin’s code, it does indeed do what it says – but it comes with that extra little bit of code attached.
That code simply sends a request to hxxp://api.tqj.us/v3/link/creditbyversion/www.site.com/2/1 and receives its contents to output the following on the compromised site:
<iframe src='hxxp://goo.gl/WCluK' width='0' height='0'></iframe> <h1> <a href='#' rel='' title=''></a> </h1><iframe src='hxxp://goo.gl/WCluK' width='0' height='0'></iframe>
This plugin can no longer be found directly on the WordPress’s plugin repository, but (as with all removed plugins) it’s still available through their SVN repository at https://plugins.svn.wordpress.org/facebook-this/ – this indicates that the plugin had once been published and has since been removed from the official repository.
Is it Malicious?
Technically there is nothing malicious currently coming from this link, but the fact that your website is being used to publicize an external website to search engines without your authorization classifies it as “malicious behavior”. This is a twist on typical SEO spam which attempts to manipulate website rankings by abusing hacked websites to gain backlinks.
A quick Google search reveals several other websites with this same plugin installed, all with the same goo.gl URL being injected.
When performing another direct search looking for the link used to fetch the iframes, we identified the same goo.gl links.
From this, we can verify that the same api.tqj.us link is being used on several other websites.
Although the impact of this particular injection is not significant, we see quite a steady use of the injected goo.gl links since the middle of 2015.
Picking one of those sites at random and running it through our SiteCheck scanner we can indeed verify the same goo.gl injection happening.
Another point that makes this plugin very suspicious is that the author’s website is set as programmer.net, which looks fake. According to Archive.org’s, Wayback Machine, this site has never hosted any legitimate content. It has always held a placeholder page from its current registrar’s owner ever since its first snapshot in 1998.
We see the same issue potentially happening on thousands of different websites. So what if all of a sudden that innocent goo.gl link changes into something more damaging and starts spreading exploit kits or ransomware?
Even though we haven’t identified such behavior currently happening, it’s very hard to predict what attackers may use these machines for.
If you are using that plugin, we highly recommend removing it. You should also review other plugins and consider removing/replacing those that haven’t been updated for several years or have been removed from the WordPress plugin directory.
Using some sort of security monitoring will also help detect unwanted injections that install malicious themes and plugins which can abuse your site if their third-party resources turn bad.