A Potential Email Attack All WordPress Developers and Users Should Know About

A Potential Email Attack All WordPress Developers and Users Should Know About

Yesterday, our team was alerted to a potentially malicious social engineering scam targeting users of one of our plugins.

First, to be very clear, there is no problem or exploitable issue with any of our plugins. :)

However, we felt the whole situation is important enough to share with as many members of the WordPress and development community as possible, as there’s a good chance something similar might be used to target other users of premium plugins and themes.

It starts with an email

One of our members received the following email from a fraudulent email address that was made to appear like it came from me, Lead Developer at Incsub and WPMU DEV.

Why is this so bad?

Whoever is behind it, at the very least, is hoping to harm our relationship with our members and cause them a difficult time.

They might also simply be after free versions of our premium plugins – getting the recipient to email them a copy – but that seems like a lot of work for just that!

Or could it be even worse?

Notice in the email, it mentions that an update will be available “within a few hours”. It was quite possible that the attacker here could send back any sort of malicious version to the user – thereby getting away with who knows what.

The Sting

Anxious to get to the bottom of this and find out who is doing it and their true motives, we worked with the member to set up a sting operation of sorts. We created a “special” version of the plugin they requested with a hidden payload. As soon as the perpetrator would install it, we would get an email with the username, email, IP address, and server information. But first, to help determine their motive, we passed along an older version of the plugin not compatible with BuddyPress 1.5. If they were just after a free update then they would write back asking for the newest version.

Sure enough, a few hours later they sent these replies:

So it seems their objective was to simply get the latest version of the plugin. Seems like they put an awful lot of work into this, as well as breaking a number of laws, for a relatively inexpensive plugin.

After we sent it through:

So who was it?

After providing them with our special updated version of the plugin, they immediately installed it on their site, and everything we needed to know came flooding in to our email. We have their username, email, IP, physical address, PayPal account, picture, twitter, facebook, linkedin, everything. The sad thing is they’re a member of the WP/BP community, with lots of activity on buddypress.org and other WP sites.

We’re currently pursuing taking legal action against them, so don’t want to call them out publicly pending advice from our lawyers. Rest assured we’ll be making sure they never try this again, and attempt to identify whether they targeted any of our other members.

The nerve!

After all this (before we contacted him) he’s still mad that his illegally obtained “special” plugin still does not work with BP 1.5, so proceeds to use the contact form here at wpmu.org (with a fake name) to blame us and try to get a working copy!

Preventing such attacks

We’ve let our members know that we will only contact them through official means (ie. non-gmail addresses) and to only download updates from our site directly. And of course if this person has tried this trick on you please let us know!

Note this social engineering tactic is not only applicable to WPMU DEV members, it can be used against anyone running a premium theme or plugin from across the web. While in this case it appears they were only after a free copy of the plugin, future attacks could be used to get you to upload an exploit to your site giving the attacker full backdoor access to your server! Be aware, and always go to the original source for your plugin and theme updates.

We want to give special thanks to Brian Dooley of goBRANDgo for bringing this to our attention and helping us with the sting operation!

Brian Dooley, honorary WP security guy

Situated in the Benton Park neighborhood of Saint Louis, MO, goBRANDgo! is an integrated targeted marketing firm that provides online and offline strategies to help our clients achieve brand velocity. All of our websites are run on WordPress, though we’re just getting our feet wet in the BuddyPress/WPMU arena. We host the Saint Louis WordPress Meetup Group, and we were recently called out by Matt Mullenweg in his Keynote Address at WordCamp San Francisco.