Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Known WordPress Threat Actor Under Investigation For Prescription-Free Online Pharmacy

This entry was posted in Miscellaneous on August 8, 2018 by Dan Moen   10 Replies

Last September we published a series of three blog posts exposing a threat actor who had purchased a number of WordPress plugins as part of an elaborate supply chain attack. This ownership enabled him to inject SEO spam into hundreds of thousands of websites, boosting search engine rankings for various illicit online businesses.

In the first post we reported that a backdoor had been placed in the Display Widgets plugin by its author. We demonstrated how the backdoor worked and its purpose. We also found evidence that the plugin had recently been sold.

In our second post the following day, we were able to identify the man behind the plugin spam, Mason Soiza. We were also able to tie him to another plugin we had written about back in August of 2016, 404 to 301, which had also been used to inject SEO spam into websites. With the aid of the original plugin authors we were able to gather comprehensive information about the purchases. We were also able to tie Soiza to some of the illicit businesses the SEO spam was benefitting.

We continued our research and published a third and final post a week later. In it we were able to tie together a 4.5 year campaign impacting 9 WordPress plugins, all used by Mason Soiza to serve SEO spam on victim websites. These WordPress supply chain attacks caught the community by surprise.

The Times and BBC Take Things Further

Last week The Times published an article focused on the website UK Meds, which is owned by none other than Mason Soiza. According to The Times, the site is under investigation by regulators for selling prescription medications, including highly addictive opioid painkillers, to customers without a prescription. Customers need only complete a free “online consultation”, which is reviewed by a doctor in Romania.

A spokesman for Mason Soiza who was referenced in The Times article, “[…] accepted that he had bought WordPress plugins and inserted code but disputed that this was malicious code and denied he was a spammer.” The article also suggests the business has been profitable enough to allow Mr. Soiza to purchase a £215,000 Lamborghini and a £100,000 watch.

On Monday, the BBC Panorama series covered the topic of online pharmacies in the UK (linked content only accessible from the UK). Mason Soiza’s site UK Meds is among the four online pharmacy sites profiled.

In the episode, five volunteers order prescriptions, most of which could prove fatal for them. Three of them ordered opioid-based painkillers, one diet pills and another antibiotics. All five were able to successfully place their orders online by answering online questions dishonestly and receive the medications. In the most touching part of the episode, a mother whose son died as the result of a drug overdose is interviewed. Dependent on the drugs, he was able to buy them online for two years after his doctor had cut him off.

They also go undercover to talk to the owner of EuroRX, who explains how online pharmacies can leverage doctors in Romania to circumvent prescription requirements.

Protect the Community by Keeping Your Site Secure

We were happy to see both The Times and BBC take this story further. What they uncovered serves as an important reminder that the people behind the attacks on our websites are generally up to no good. It might just be a website to you, but to a criminal it’s an important resource they can use to further their agenda. Unfortunately, that agenda sometimes includes potentially deadly activities. We can all do our part to help keep the community safe by keeping our sites secure and out of the hands of criminal actors.

Did you enjoy this post? Share it!

10 Comments on "Known WordPress Threat Actor Under Investigation For Prescription-Free Online Pharmacy"

Mitch August 8, 2018 at 10:10 am • Reply

Thank you for a Great update and for keeping us informed.
I would like to thank the owners and staff of Defiant (Wordfence) for your continuing research on keeping WordPress and Users / Admins of WordPress Safe from criminals like this.
With out this wonderful / excellent Plugin we would be up to out necks in Bots / scammers / malware.
On behalf of 3 Aliens Web Hosting and our Clients Thank You So Much

Haroun Kola August 8, 2018 at 10:22 am • Reply

That is an extremely scary scenario. Hectic, as we say in SA.

Yahjam Brian August 8, 2018 at 10:30 am • Reply

Wow. I often wonder what are the benefits these people get from attacking our websites. Now Soiza has made me see how profitable it can be. I hope he is further exposed and taken down before he does further damage. Thanks for the great work in exposing him.

JOSEPH P PRISER August 8, 2018 at 11:05 am • Reply

I am hoping that The National Cyber Security Centre (NCSC), a part of GCHQ, protects the vital interests of the UK by providing advice on cyber security to UK government, critical national infrastructure, the wider public sector and suppliers to UK government.
knows about him I can't believe they don't, but allow him to still do business. In the US he would already have been put in prison.

Keep up the good work that you do.

Mc UD August 8, 2018 at 11:58 am • Reply

I m glad to know this. I will announce it better in Nigeria

Daryl Austman August 8, 2018 at 2:50 pm • Reply

WordFence has always been acting on behalf of the thousands (millions?) of WF security plugin users regardless of which version they choose... THANK YOU, on behalf of all these users, for your diligence, concern, and followup in regards to stories like these that have such a huge impact on Wordpress users.
I'm so glad I have you on MY security team!
It is amazing that the WF security team found out and dug deep to help expose this online spamming issue AND the potentially fatal effects of the business it benefitted. Good Job!!

Rohan August 8, 2018 at 9:58 pm • Reply

What, and have bureaucrats actually earn their money? Outrageous!

Ogbeta Oyakhilome August 9, 2018 at 2:37 am • Reply

Thanks for the info. Security is a major concern for all.

Steve Cooper August 9, 2018 at 6:30 am • Reply

When I counsel that customers and potential customers should take their website security seriously I am often asked, "but who would be interested in hacking my website?" and "why would somebody want to hack my website?". I will refer people to this article for the answer. It might even be a counterpoint to the response I got from a web designer who is happy to build e-commerce sites without HTTPS, who said of my insistence on better security for a site in which we both had an interest, that I should "get a life".

Billy August 9, 2018 at 6:20 pm • Reply

Very good update Dan. The Times article is more on point and questions the point of the illegal hacking of websites. I'm doubtfull he would have been as sucssesful with this unfair advantage. And should criminals be running pharmacys?


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 90 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates