Back in November, we looked at WordPress themes being distributed by third parties who’d embedded hidden code to allow the insertion of arbitrary content. Now a rash of sites are reporting that their blogs have been subverted.
Among them is Deep Jive:
“I was getting listed in Google for all manner of sneaky (and NSFW terms), so that people could click on those links with the hacker getting the affiliate cash — but *actually*, said hackers also inserted fake tempates into my wordpress theme.”
There are lots of reasons a hacker may want to inject code into a page:
- To infect visitors by exploiting a browser vulnerability
- To place ads they can then get revenue from
- To embed links to blogs they own, improving their page rank
- To entice people to click on links that lead them elsewhere
The clever thing about the WordPress hack was that it would check for code to insert into a page each time it was loaded, but if none was available, it would just sit there quietly. Which means that the creator of the theme could count how many sites their theme had “infected” based on hits to the embedded URL. Once enough sites had the themes, the creator could start supplying code to the blogs.
In this case, it appears that most of the sites are being used to send traffic to a few sites, which in turn have been morphed into stores.