Comentarios del lector/a

Four Amazing Mason Soiza Hacks

por Shela Folse (2018-09-17)

 |  Publicar respuesta

This post is an element of a series. This's the next post and a follow-up to our first story titled Display Widgets Plugin Includes Malicious Code to Publish Spam on WP Sites. There's a third post in this particular series which explains the way the same spammer influenced a total of 9 WordPress plugins over a 4.5 year period.

Through this post, we explore who is behind the purchase and corruption of the Display Widgets plugin and at least 2 other popular WordPress plugins.

As a part of my research into the sale of the Display Widgets plugin as well as the consequent spam that appeared in it, I had reached out to Stephanie Wells, the original creator of Display Widgets who sold it. Stephanie returned to me moments after I hit the publish button on our post.

We'd a chat on Skype and she was extremely concerned, helpful and forthcoming with information to test as well as clean up just what happened right here. Steph has kindly agreed to allow me to share the details of their transaction with the WordPress community.

I was truly excited because that allowed us to stay within the cash in our investigation into who's behind the spam in Display Widgets. Little did I understand this would result in two additional plugins and shed light on a story we wrote about year which is last.

To follow The Money
Steph confirmed they had offered the Display Widgets plugin to Mason Soiza for 1dolar1 15,000. He'd approached them via their web contact form. This's the initial email they received, complete with spelling errors:

?Begin email?

We'd love to invest in this plugin from you and take total owner ship of it and take away the strain from you.

We are trying to construct one of the largest wordpress plugin organizations and in doing this we are attempting to buy some quite large plugins like yours.

I am asking yourself if me and the team of mine will be ready to buy the plugin from you then take over the entire development of it and drive out a brand new update making it work better with the latest wordpress.

We will additionally include our admin team onto the support discussion board and ensure that the computer users are happy and in case there are any features they are particularly asking for we are going to get them included in to the next update.

We've over thirty four Plugins which we now own and manage.

?End email?

During their negotiations they received an additional email from Soiza on April 24th which read:

?Begin email?

We have one plugin every account as WordPress don't really love the fact that folks sell or perhaps buy the plugins so this shields us as the buyer from one of the prior owners from snitching and then crashing all the other plugins of ours.

I could name drop a couple of however:

https://wordpress.org/plugins/wp-slimstat/ managed by Dino
https://wordpress.org/plugins/finance-calculator-with-application-form/ decided to buy two days before as we've a good concept on growing htis and genuinely wanted the name Finance Calculator still needs the custom to go on.
https://en-gb.wordpress.org/plugins/404-to-301/ bought this a couple of weeks back still in process of transferring, they have had press which is bad in the past so we desire to repair it and also improve on the current version in terminology of auto 404 fix.

We've many others but these are most recent.

To be brutally honest,

It can help with our net business that is pretty huge in the casino business, when we can use as a sales tactic Our code is used on more than 30million sites around the world etc etc. Sounds ridiculous but it goes along way in our industry, particularly as we need to apparent our statements by law.

?End email?

Notice I've marked the 404 to 301 plugin in white. We will come again to that.

The plugin was no longer a central part of Steph as well as her husband's company, therefore they decided to sell it.

The paypal transaction from May 19th, 2017 to purchase Display Widgets reads: Mason Soiza (pp@linkrocket.net) made a $15,000.00 USD payment

The contract that Steph received is actually signed by Mason Soiza.

On June 21st, the original release of Display Widgets under the new author went out. Then on June 30th there was a second release, version 2.6.1, which included the malicious code we talked about in part 1 of that series of articles. to be able to remind you, the brand new plugin author was allowed by this code? Soiza, in cases like this? to post spam content on any web site running Display Widgets. There were approximately 200,000 sites with Display Widgets at the time.

The Trac ticket that Calvin Ngan opened 7 weeks ago, which had been the first report of the malicious code and activity in Display Widgets, noted Payday Loan spam. This is an important fact, as you will see below.

Who is Mason Soiza?
The contract that Stephanie received is actually signed by Mason Soiza. The company name utilized on the contact is:

Soiza Limited of Jubilee Cottage, Nottingham, England, NG122LD.

Businesses House in the Uk shows Soiza Limited as:


The address is a total match to the address and company name furnished on the invoice. The company has one business officer, Mason Reece Soiza, born March 1994 (age twenty three), a British citizen, appointed to the board on December 6th, 2016. The occupation of his is listed as Computer Coder.


The email which Soiza used in the transaction is pplinkrocket.net. In case the website linkrocket.net is visited by us, it does not provide much aside from a logo. However, if we look at an archived version of it from May 2014, three emails show up on the home page, and we get Mason Soiza's real email address, which is masonlinkrocket.net.


Making use of an email search engine called Pipl, we searched for masonlinkrocket.net and discovered an extended list of social profiles.

Included is a LinkedIn profile for Mason Soiza in Nottingham. The profile pic has now been removed from his LinkedIn profile page but this's a screen capture.


Soiza's LinkedIn profile lists him as CEO of Payday Loans Now since 2014.


If www.paydayloansnow.co.uk is visited by us, we find out at the best left of the page the following:


The footer of the webpage looks like this:


The relevant data in this footer is:

Paydayloansnow.co.uk is actually confirmed to belong to Soiza Internet Marketers Limited (SIML).
SIML is an introducer appointed representative of Quint Group Limited.
SIML is actually entered on the Financial Services Register in the Uk below reference number 748266
Quint Group Limited is entered on the Financial Services Register below reference number 669450
SIML's company number is actually 09861376 Lets go to the Financial Services Register and look up SIML's reference number. We believe it is listed as follows. You can click the image for a larger version which opens in a new tab.


In addition, on the FCA we discover the email address masoninkrocket.net. This may be a typo because the domain inkrocket.net' doesn't actually exist. The particular url should probably be (l)inkrocket.net.

Who Does Soiza Represent?
Based on information from the UK's Financial Conduct Authority, Soiza Internet Marketers Limited is actually authorized to introduce clients to Quint Group Limited. The financial services which Soiza is promoting is provided by Quint.

Soiza also works www.unsecuredloans4u.co.uk that is additionally reselling Quint's financial products.

I phoned Quint in the Uk and was escalated to their compliance director, Graham McGifford, which was really responsive. He said that Quint does have criteria they need their representatives to comply with and they are going to take action if necessary.

Quint confirmed that Mason Soiza is an authorized representative, or perhaps introducer,' as the FCA's website calls it.

Graham requested that I send him more information so they can look into the issue. We are going to be forwarding this blog post.

Linking Mason Soiza to the 404 to 301 Plugin Spam
You will recall that in Soiza's very own email to Steph (above) which he sent in April of this season while negotiating the purchase of the Display Widgets plugin, he talked about that he purchased the 404 to 301 plugin:

https://en-gb.wordpress.org/plugins/404-to-301/ bought this a few weeks back still in process of transferring, they have had press which is bad of the past so we wish to fix it and also improve on the current model in terminology of auto 404 fix.

In August of 2016, we had written a story titled 404 to 301 Plugin Considered Harmful. This was a controversial piece and we posted a follow-up titled We'll continually put our community and customers first.

In the follow up, we point out that the spam from the 404 to 301 plugin was appearing on school sites in the Uk and in particular, a UK based escort service called cityofescorts.co.uk had turned up on a school website. This's the code that was fetching the spam content for the 404 301 plugin:


And this is an obfuscated screenshot we integrated in our August 2016 post:


If a whois lookup on cityofescorts.co.uk is done by you, you discover that the owner is actually lindsay mason facebook Soiza.


The wpcdn.io server that had been being used to offer spam to the 404 to 301 plugin is still up and operating today. And if you visit the URL at wpcdn.io that had been being used to serve up spam nowadays, it serves up paydayloansnow.co.uk, which we have proven is yet another Soiza website.


Soiza says he bought 404 to 301. I reached out to the original plugin author, Joel James, to find out in case that's true. I haven't been in a position to get hold of him.

Back in August of year that is last, Joel James published on this blog:


Did Joel James give Soiza commit access to the code of his? I'd actually love to listen to much more about precisely what happened. Soiza is now saying the plugin was purchased by him, however, we do not know in case this was before or after the 404 to 301 debacle unfolded. Joel in case you could comment below to assist us realize the timeline, that would be actually beneficial.

How about the other Plugins Soiza Bought?
In his email to Steph, two additional plugins are mentioned by Soiza. The notes to the ideal of each arrow are his:

https://wordpress.org/plugins/wp-slimstat/ managed by Dino
https://wordpress.org/plugins/finance-calculator-with-application-form/ bought 2 days before as we have an excellent idea on growing htis and genuinely wanted the name Finance Calculator still demands the designer to jump on.

I have not been equipped to hook up with the author of WP Slimstat'.

I did manage to link with Ciprian Popescu, author in case the Finance Calculator plugin that Soiza says he bought and Ciprian was kind enough to share the information with me.

Soiza contacted Ciprian early this year and used an alias of Kevin Danna. He expressed interest in buying Finance Calculator.

Soiza then bought Finance Calculator for 1dolar1 600. During the communication of his with Ciprian, Mason Soiza appeared to come up with a mistake and he unintentionally signed one of his emails from the Kevin Danna alias as Mason'. Ciprian discussed a screenshot with me:


Soiza even seems to utilize the Kevin Danna alias on WordPress forums.

Ciprian said that for some reason, Soiza hardly ever updated the plugin after he bought it. After learning about what occurred with Display Widgets, he's taken back control of the Finance Calculator plugin, revoked Soiza's access and confirmed it is malware free. I got this email through him:

Hi Mark,

I can confirm that my plugin has not been tampered with. I've pushed an update to get rid of the financecalculator' committer, which was Mason Soiza. I'm in the procedure of updating a lot more stuff, which includes rewriting several code for a smaller footprint; however the plugin is fully functional and malware-free.

My Communication With Soiza
Nowadays we have hard evidence, courtesy of Ciprian, that Soiza utilizes the Kevin Danna email address to get in touch with individuals. We also realize that the brand new owner of Display Widgets plugin was using that address on WordPress boards.

I communicated with Kevin Danna via email while researching the previous post of ours. I asked about the thirty four plugins stated on the wpdevs.co.uk website that they owned. In case the malicious code in Display Widgets was there deliberately, I also wanted to find out. This is the reply I got from Kevin. I released this in our previous post and left out the very first couple of paragraphs. I am including them this time to give you a feeling of who this person is.

Hi Mark,

Simply seen this email WOW!

The side of mine of the story is actually, as you may/may not know. I got clinically determined to have Lung Cancer a few months ago, so only have a couple of months/maybe a year remaining on this specific environment. So i sold up all my plugins to many people.

The Display Widgets plugin was marketed to a business entity in California that made me sign a NDA. Probably as a result of the reasons you have highlighted. This's the only plugin i sold to this guy. He promises to have a good deal of drupal plugins and this was the first wordpress plugin of his. I decided to buy this plugin for 1dolar1 15,000 and sold it for 1dolar1 20,000. They told me they was working with it to advertise there toolbar, which i assume you can use to search them up.

In regards to the thirty four plugins and counting, this was at the peak of my career. I would invest in plugins brand them up towards state a web design companies on the /wp-admin/ and then market the web design company in addition to the plugin with words such as Used by over 100,000 sites adding words that way etc inflated the price tag of the company by xyz and at this time I'd merely flip it as fast as i can. WP Devs is now a defunct business for reasons which are obvious.

I apologise for any inconvenience I've caused in immediately. I wish you the best of luck!.

Thanks

Kevin D

We know that Soiza purchased the Display Widgets plugin from Steph and purchased Ciprian's Financial Calculator plugin. We know that Soiza communicates using the Kevin Danna email address. We likewise realize that Mason Soiza has the domains for spamming in the 404 to 301 plugin. We likewise know Steph sold the plugin of her for 1dolar1 15,000 to Mason Soiza. The above mentioned email is actually the first time I'd read the number mentioned. We likewise know that the wpdevs.co.uk site was just registered in April, hence it's not an old company from the good of someone 's career.

So I'm going to go out on a limb here and claim that Kevin Danna is actually Mason Soiza and based on Soiza's public Facebook Profile, he's looking really healthy.

Some other Interests
According to a Whoisology research through the Soiza's email address, he owns the following domains:

onlineblackjackexpert.net (Active blackjack site)
0xd0d78w2.info (Listed with Google as serving up malware. See below)
Before Google blocked it, the 0xd0d78w2.info domain was serving up a website which claimed the computer of yours was infected as well as attempted to help you to call a Microsoft support line. It looked this way (courtesy of Archive.org):


Business Will be Good
Soiza seems to stick to the high life. On the public Facebook profile of his, he posts he attended the Monaco Grand Prix in May of this year.


In April he was at Dead Rabbit in York that is New (sixteen dolars a cocktail).


year someone that is Last with the title Mason Reece Soiza posted a photo of their 2012 Ferrari 458 Italia on rate-drive-co.uk. An idiot driver driving a reddish Ferrari 458 Italia 2012 model was being discussed by the thread. The license plate is MA52 Son.


Business seems to be booming for Soiza.

Wrapping It Up
A plenty of data on Mason Soiza from public sources has been assembled by our team. He has interests in a broad range of internet business which include payday loans, gambling and escort' services, among others.

He's been active on black hat forums and has been banned from Dark Hat World (username LinkRocket) as well as from WickedFire.com (username MasonSoiza). Soiza is active on Reddit as IIRR and moderates a a subreddit named /r/paydayloansnowcouk.

At this point we've verified that Soiza bought the Financial Calculator plugin and also the Display Widgets plugin and an economic trail has been established by us. A backdoor was added by him to the Display Widgets WordPress plugin to enable himself unrestricted publishing access to web sites running the plugin.

We likewise realize that Soiza was involved with the spam that originated out of the 404 to 301 plugin which he claims he bought, although in that case the author has not yet verified the sale made of the plugin. His escort website and payday loans websites had been spammed from the 404 to 301 plugin.

If you're contacted by Kevin Danna or maybe Mason Soiza and tend to be a plugin author, we suggest you to avoid all contact.

Naturally I welcome your feedback in the comments.

Añadir comentario



#