Super Amazon Banners Plugin Gone Rogue

During a recent investigation we found the plugin Super Amazon Banners to be serving malware/spam via the domain seoranker[.]info. We suspect that the domain expired and was registered by somebody else who is using it to serve the malware now.

The plugin causes this javascript to try and load a popup (popupHtml) with many spam links to external sites. Also appears to be causing loading issues and some pages refuse to load at all:

(function() {'use strict'; if (window['shbNetLoaded']) return;window['shbNetLoaded'] = true;var popupHtml =

The issue was reported to WordPress and the plugin can no longer be downloaded, it was closed. We recommend removing the plugin from your WordPress site if you are using it.

Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags

AccessPress Themes Hit With Targeted Supply Chain Attack

Ben Martin
January 20, 2022

Security researchers at Automattic recently reported that the popular WordPress plugin and theme authors AccessPress were compromised and their software replaced with backdoored versions. The…

Read the Post

Decoding the Caesar Cipher Skimmer

Ben Martin
June 20, 2024

Over the last several weeks we’ve observed an interesting new variation of “gtag” credit card skimming attack with a surprisingly high number of detections so…

Read the Post

Stealthy WordPress Malware Drops Windows Trojan via PHP Backdoor

Puja Srivastava
June 27, 2025

Last month, we encountered a particularly interesting and complex malware case that stood out from the usual infections we see in compromised WordPress websites. At…

Read the Post

Fake bb_press Plugin Redirects to Mobile Pornography

Fernando Barbosa
January 24, 2017

When a website is hacked, we often find that attackers have injected multiple backdoors, web shells, and malicious code that allows them to regain access…

Read the Post

New Wave of SocGholish cid=27x Injections

Denis Sinegubko
November 23, 2022

On November 15th, Ben Martin reported a new type of WordPress infection resulting in the injection of SocGholish scripts into web pages. The attack loads…

Read the Post

How Some OTP Systems Can Be Used to Prank Spam

Luke Leal
July 25, 2018

I recently came across an interesting index.php file and its corresponding directory on a compromised website. I loaded it in a testing environment and immediately…

Read the Post

Credit Card Stealer Hidden in Fake Facebook Pixel Tracker

Credit Card Skimmer Hidden in Fake Facebook Pixel Tracker

Matt Morrow
April 11, 2024

In recent months, we have encountered a number of cases where attackers inject malware into website software that allows for custom or miscellaneous code —…

Read the Post

Plugins added to Malware Campaign: September 2019

John Castro
October 3, 2019

This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below: Multi-Vector Attack in…

Read the Post

Magento Credit Card Stealer: harilov[.]com

Luke Leal
February 7, 2020

Our Remediation team lead Ben Martin recently discovered a single line obfuscated PHP injection in the main index.php file of a Magento 1.9.x website. It…

Read the Post

Unauthenticated settings update in woocommerce-ajax-filters

John Castro
September 18, 2019

woocommerce-ajax-filters, which currently has over 10,000 installations (versions <=1.3.6) allows unauthenticated attackers to arbitrarily update all the plugin options and redirect any user to an…

Read the Post

Related Tags

Related Categories

You May Also Like