Beware of emails promising the All in One SEO Pack Pro plugin for free

Dec 5, 2013 10:31 GMT  ·  By

Security researchers from Sucuri have come across an interesting cyberattack aimed at the owners of WordPress websites.

The attack starts with a scam WordPress email that informs recipients that they’ve been “chosen” to take part in the company’s Customer Rewarding Program. Since they’re one of the “unique winners,” they get the All in One SEO Pack Pro plugin for free.

“It’s coming at the perfect time, Black Friday where us Americans can barely contain our need to be civil towards one another, and Cyber Monday, the day we have this overwhelming need to spend on things we don’t need,” Sucuri’s Daniel Cid noted in a blog post.

“I mean, who would want to scam anyone during this time in which we are so jolly and willing to take anything we can for free, or heavily discounted?” he added.

This is where the fun starts. The download link from the email doesn’t point to the developer’s website or to the WordPress Plugin Directory. Instead, it takes victims to a hijacked website that’s been set up to host what appears to be All in One SEO Pack Pro.

The plugin served to users is a modified version of the legitimate application. The cybercriminals have fitted it with a backdoor that gives them complete access to the infected server. The backdoor has been added to the filed called aioseop_class.php.

Once it’s in place, the malware replaces the existing index.php file with one that’s designed to display malicious content to the website’s visitors. Users can be redirected to spam websites or to ones hosting exploit kits.

One might think that WordPress website owners wouldn’t fall for such a trick. However, Sucuri says they've fixed a number of websites that had the malicious plugin installed.