Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Backdoored Captcha Plugin Hits 300,000 WordPress Sites

Yet another plugin was removed from the WordPress repository afte

Yet another plugin was removed from the WordPress repository after a backdoor was added to it following a recent update.

Called “Captcha” and featuring 300,000 active installs at the time it was removed, the plugin was found to have changed ownership several months ago. Initially developed and maintained by BestWebSoft, it was owned by an unnamed developer at the time the backdoor was added.

Through an update on December 4, code designed to trigger an automatic update process and download a ZIP file from the simplywordpress[dot]net domain was added to the plugin. The archive would extract and install itself over the copy of the Captcha plugin already running on site.

Inside the ZIP archive, a file called plugin-update.php, which was found to be the backdoor, was included, in addition to small changes to the plugin itself. The file would grant the author unauthorized administrative access to the WordPress websites using the plugin.

The backdoor was designed to create a session with user ID 1 (the default admin user WordPress creates at install), to set authentication cookies, and delete itself. Because the backdoor’s installation code was unauthenticated, anyone could trigger it, Wordfence reports.

The ZIP file also included an update to the URL using the same process that installed the backdoor, only this time to remove all traces of the malicious code.

The simplywordpress[.]net domain hosting the ZIP file is registered to a Stacy Wellington ([email protected]), who apparently has registered a large number of other domains as well. One of the domains is unsecuredloans4u[.]co[.]uk, which is linked to Mason Soiza, an individual previously associated with similarly backdoored WordPress plugins.

“[Soiza] has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them,” Wordfence explains.

Advertisement. Scroll to continue reading.

The individual buys plugins and, after a few months, adds the backdoor code to them to create cloaked backlinks to its own loan sites and boost site rankings for different search terms.

simplywordpress[.]net also includes the backdoored plugins Covert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.

Looking at the website’s DNS history, Wordfence discovered a previous A-record of 195.154.179.176, which is the current A-record for unsecuredloans4u[.]co[.]uk, Mason Soiza’s domain. The same IP address is also used to host pingloans[.]co[.]uk, a site registered to Serpable Ltd, which is owned by a Charlotte Ann Wellington.

By digging deeper, Wordfence also discovered that both Wellingtons and Mason Soiza are linked to a Quint Group Limited. Stacy Wellington mentions working for Serpable, which is (or was previously) an SEO company and also “is an Introducer Appointed Representative of Quint Group Limited.”

“However, at this time, it’s unclear if either Charlotte or Stacy Wellington is the creator of the backdoor code we discovered in the Captcha plugin,” Wordfence notes.

Given the strong correlation between Stacy Wellington, simplywordpress[.]net, and heyrank[.]co[.]uk (another domain hosted on 195.154.179.176 and registered to the individual), the researchers suggest that wpdevmgr2678, the new owner of the Captcha plugin, could be Stacy Wellington.

Wordfence and the WordPress.org plugins team released a patched version of Captcha (v4.4.5) that no longer includes the backdoor. The automatic update mechanism was used to upgrade all backdoored versions (4.3.6 – 4.4.4) up to the new one and over 100,000 sites running versions the backdoored iterations were upgraded over the weekend.

Related: Backdoored Plugin Impacts 200,000 WordPress Sites

Related: Backdoor Masquerades as Popular WordPress Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights