Anti-Social: Popular WordPress Sharing Plugin Linked To Payday Loan Spam

A popular plug-in for sharing blog content on social networks was discovered to have hidden code that was injecting WordPress blogs with links to phony Pay Day Loan offers and other spam, according to the firm Sucuri.

Wordpress Logo

The plug-in, named Social-Media-Widget (SMW) was compromised with malicious code 12 days ago, in concert with an update of the widget. The new version of the plug-in contained a hidden call to a remote PHP script that inserted “Pay Day Loan” spam text and links into WordPress web sites running the plugin. The goal was to infect as many web sites as possible with text that would increase the web reputation and visibility of a web site run by the spammers, according to the post on Tuesday, by Daniel Cid, Sucuri’s CTO.

SMW is among the most popular add-ons for Wordpess sites. It allows bloggers who use WordPress to configure sharing buttons that will appear on their blog and accompany each blog post, allowing readers to circulate the blog content out to social media websites or other blogs.

Social Media Widget
Social Media Widget – a popular WordPress plug-in – was caught seeding blogs with links to Pay Day Loan scam web sites

WordPress statistics show that it had been downloaded around 935,000 times through the end of March. The plug-in was the creation of Brian Freytag, a Michigan based developer. In a post from Freytag’s personal blog dated January 15, however, he claims to have sold the widget to an “unnamed company for an unnamed sum,” saying he was unable to continue developing the free utility.

On Tuesday, someone using Freytag’s name left comments in a support forum for SMW that said he no longer has any involvement with the plug-in and expressed dismay at its use as a spamming tool.  

“I just want to make it clear that I have not been the maintainer of Social Media Widget since January of 2013 (version 2.9.5),” the user claiming to be Freytag said. “I want the record to reflect that this issue arose months after I passed off the widget and have not had…access since signing over the widget in January.”

Freytag claims to have had a “discussion” with the party he sold the widget to, and that he claims that a freelance developer working on the plug-in “decided to go rogue or his password was cracked.” He did not immediately respond to a request for comment from The Security Ledger.

WordPress has since acted quickly to remove the plugin from its  official WordPress Plugin Repository. Sucuri recommends that WordPress sites using the plug-in remove it immediately. 

Social sharing plug-ins like Social Media Widget are enormously popular in online publishing. However, they also easy targets for scammers and can expose users to infection or unwanted tracking. “Many sharing tools track users and gain access to valuable information, which is stored in user profile databases that can be breached,” Veracode said.  The security firm Veracode in February warned about the security dangers of sharing plug-ins and released SmartShare, an internally developed and secure sharing utility.

Spread the word!

2 Comments

  1. This plugin is not a “social sharing” plugin and therefore the quotes in your article about “sharing tools” are not applicable. This plugin does NOT allow visitors to share the page or post and does not track users, via database or otherwise. The ONLY purpose of this plugin was to provide LINKS to a website owner’s social network pages. This is NOT the same as sharing. So, your talking about “security dangers of sharing plug-ins” and promoting SmartShare is erroneous and misleading. That would be like calling the Blogroll widget a social sharing widget.

  2. Pingback: WordPressஇல் Social Media Widget பாவிப்போருக்கு எச்சரிக்கை... « கேள்வி-பதில் கேள்வி-பதில்