This entry was posted in General Security, WordPress Security on September 13, 2017 by Mark Maunder 161 Replies

This post is part of a series. This is the second post and a follow-up to our first story titled “Display Widgets Plugin Includes Malicious Code to Publish Spam on WP Sites“. There is a third post in this series which explains how the same spammer influenced a total of 9 WordPress plugins over a 4.5 year period.

In this post, we explore who is behind the purchase and corruption of the Display Widgets plugin and at least two other popular WordPress plugins.

As part of my research into the sale of the Display Widgets plugin and the subsequent spam that appeared in it, I had reached out to Stephanie Wells, the original author of Display Widgets who sold it. Stephanie got back to me moments after I hit the publish button on our post.

We had a chat on Skype and she was incredibly concerned, helpful and forthcoming with data to try and clear up what exactly happened here. Steph has kindly agreed to let me share the details of their transaction with the WordPress community.

I was really excited because this allowed us to follow the money in our investigation into who is behind the spam in Display Widgets. Little did I know that this would lead to two other plugins and shed light on a story we wrote about last year.

Following The Money

Steph confirmed that they had sold the Display Widgets plugin to “Mason Soiza” for $15,000. He had approached them via their web contact form. This is the original email they received, complete with spelling errors:

–Begin email–

We would like to purchase this plugin from you and take complete owner ship of it and take away the stress from you.

We are trying to build one of the largest wordpress plugin companies and in doing this we are trying to purchase some rather large plugins like yours.

I am wondering if me and my team would be able to purchase this plugin from you and then take over the complete development of it and push out a new update to make it work better with the latest wordpress.

We will also put our admin team onto the support forum and make sure the users are happy and if there are any features they are specifically asking for we will get them added in to the next update.

We have over 34 Plugins that we now own and manage.

–End email–

During their negotiations they received a further email from Soiza on April 24th which read:

–Begin email–

We have 1 plugin per account as WordPress do not really like the fact that people sell or buy the plugins so this protects us as the buyer from one of the previous owners from “snitching” and then crashing all our other plugins.

I can name drop a few however:

https://wordpress.org/plugins/wp-slimstat/ <– managed by Dino

https://wordpress.org/plugins/finance-calculator-with-application-form/ <– bought 2 days ago as we have a great concept on growing htis and really wanted the name “Finance Calculator” still needs the designer to jump on.

https://en-gb.wordpress.org/plugins/404-to-301/<– bought this a few weeks back still in process of transferring , they have had bad press in the past so we want to fix it and also improve on the current version in terms of “auto 404 fix”.

We have many others but these are most recent.

To be brutally honest,

It helps with our web business that is pretty big in the casino industry, when we can use as a sales tactic “Our code is used on over 30million websites” world wide etc etc. Sounds silly but it goes along way in our industry, especially as we need to evident our statements by law.

–End email–

Notice I’ve marked the “404 to 301” plugin in red. We’ll come back to that.

The plugin was no longer a core part of Steph and her husband’s business, so they decided to sell it.

The paypal transaction from May 19th, 2017 to purchase Display Widgets reads: “Mason Soiza (pp@linkrocket.net) made a $15,000.00 USD payment“

The contract that Steph received is signed by Mason Soiza.

On June 21st, the first release of Display Widgets under the new author went out. Then on June 30th there was a second release, version 2.6.1, which included the malicious code we covered in part 1 of this series of posts. To remind you, this code allowed the new plugin author – Soiza, in this case – to publish spam content on any site running Display Widgets. There were approximately 200,000 sites using Display Widgets at the time.

The Trac ticket that Calvin Ngan opened 7 weeks ago, which was the first report of the malicious code and activity in Display Widgets, reported Payday Loan spam. This is an important fact, as you’ll see below.

Who Is Mason Soiza?

The contract that Stephanie received is signed by Mason Soiza. The company name used on the contact is:

Soiza Limited of Jubilee Cottage, Nottingham, England, NG122LD.

Companies House in the UK shows Soiza Limited as:

The address is a complete match to the address and company name provided on the invoice. The company has one corporate officer, Mason Reece Soiza, born March 1994 (age 23), a British citizen, appointed to the board on December 6th, 2016. His occupation is listed as Computer Programmer.

The email that Soiza used in the transaction is pp@linkrocket.net. If we visit the site linkrocket.net, it doesn’t provide much other than a logo. However, if we look at an archived version of it from May 2014, three emails appear on the home page, and we get Mason Soiza’s real email address, which is mason@linkrocket.net.

Using an email search engine called Pipl, we searched for mason@linkrocket.net and found a long list of social profiles.

Included is a LinkedIn profile for Mason Soiza in Nottingham. The profile pic has now been removed from his LinkedIn profile page but this is a screen capture.

Soiza’s LinkedIn profile lists him as CEO of “Payday Loans Now” since 2014.

If we visit www.paydayloansnow.co.uk, we discover at the top left of the page the following:

The footer of the page looks like this:

The pertinent data in this footer is:

Paydayloansnow.co.uk is confirmed to belong to Soiza Internet Marketers Limited (SIML).

SIML is an “introducer appointed representative” of Quint Group Limited.

SIML is entered on the Financial Services Register in the UK under reference number 748266

Quint Group Limited is entered on the Financial Services Register under reference number 669450

SIML’s company number is 09861376

Lets go to the Financial Services Register and look up SIML’s reference number. We find it listed as follows. You can click the image for a larger version which opens in a new tab.

And on the FCA we find the email address mason@inkrocket.net. This may be a typo because the domain ‘inkrocket.net’ doesn’t actually exist. The actual domain should probably be (l)inkrocket.net.

Who Does Soiza Represent?

Based on data from the UK’s Financial Conduct Authority, “Soiza Internet Marketers Limited” is authorized to introduce clients to Quint Group Limited. Quint provides the financial services that Soiza is selling.

Soiza also operates www.unsecuredloans4u.co.uk which is also reselling Quint’s financial products.

I phoned Quint in the UK and was escalated to their compliance director, Graham McGifford, who was very responsive. He told me that Quint does have standards they require their representatives to adhere to and they will take action if needed.

Quint confirmed that Mason Soiza is an authorized representative, or ‘introducer,’ as the FCA’s website calls it.

Graham requested that I send him more information so that they can look into the matter. We will be forwarding this blog post.

Linking Mason Soiza to the 404 to 301 Plugin Spam

You will recall that in Soiza’s own email to Steph (above) which he sent in April of this year while negotiating the purchase of the Display Widgets plugin, he mentioned that he bought the 404 to 301 plugin:

https://en-gb.wordpress.org/plugins/404-to-301/<– bought this a few weeks back still in process of transferring , they have had bad press in the past so we want to fix it and also improve on the current version in terms of “auto 404 fix”.

In August of 2016, we wrote a story titled “404 to 301 Plugin Considered Harmful“. This was a controversial piece and we posted a follow-up titled “We will always put our customers and community first“.

In the follow-up, we mention that the spam from the 404 to 301 plugin was appearing on school websites in the UK and in particular, a UK based “escort” service called cityofescorts.co.uk had appeared on a school website. This is the code that was fetching the spam content for the 404 301 plugin:

And this is an obfuscated screenshot we included in our August 2016 post:

If you do a whois lookup on cityofescorts.co.uk, you discover that the owner is Mason Soiza.

The wpcdn.io server that was being used to serve spam to the “404 to 301” plugin is still up and running today. And if you visit the URL at wpcdn.io that was being used to serve up spam today, it serves up paydayloansnow.co.uk, which we have shown is another Soiza website.

Soiza says he bought 404 to 301. I reached out to the original plugin author, Joel James, to see if that is true. I haven’t been able to contact him.

Back in August of last year, Joel James wrote on this blog:

Did Joel James give Soiza commit access to his code? I would really like to hear more about what exactly happened. Soiza is now saying he purchased the plugin, but we don’t know if that was before or after the 404 to 301 debacle unfolded. Joel if you could comment here to help us understand the timeline, that would be really helpful.

What About the Other Plugins Soiza Bought?

In his email to Steph, Soiza mentions two other plugins. The notes to the right of each arrow are his:

https://wordpress.org/plugins/wp-slimstat/ <– managed by Dino

https://wordpress.org/plugins/finance-calculator-with-application-form/ <– bought 2 days ago as we have a great concept on growing htis and really wanted the name “Finance Calculator” still needs the designer to jump on.

I have not been able to connect with the author of ‘WP Slimstat’.

I did manage to connect with Ciprian Popescu, author if the “Finance Calculator” plugin that Soiza says he purchased and Ciprian was kind enough to share the details with me.

Soiza contacted Ciprian early this year and used an alias of “Kevin Danna”. He expressed interest in buying Finance Calculator.

Soiza then purchased Finance Calculator for $600. During his communication with Ciprian, Mason Soiza appeared to make an error and he accidentally signed one of his emails from the Kevin Danna alias as ‘Mason’. Ciprian shared a screenshot with me:

Soiza also appears to use the Kevin Danna alias on WordPress forums.

Ciprian told me that for some reason, Soiza never updated the plugin after he purchased it. After learning about what happened with Display Widgets, he has taken back control of the Finance Calculator plugin, revoked Soiza’s access and confirmed that it is malware free. I received this message from him:

Hi Mark,

I can confirm that my plugin has not been tampered with. I have pushed an update to remove the ‘financecalculator’ committer, which was Mason Soiza. I am in the process of updating more stuff, such as rewriting some code for a smaller footprint; but the plugin is fully functional and malware-free.

My Communication With Soiza

We now have hard evidence, courtesy of Ciprian, that Soiza uses the “Kevin Danna” email address to communicate with people. We also know that the new owner of Display Widgets plugin was using that address on WordPress forums.

I communicated with “Kevin Danna” via email while researching our previous post. I asked about the “34 plugins” mentioned on the wpdevs.co.uk website that they owned. I also wanted to know if the malicious code in Display Widgets was there intentionally. This is the reply I received from “Kevin”. I published this in our previous post and left out the first few paragraphs. I’m including them this time to give you a sense of who this person is.

Hi Mark,

Just seen this email WOW!

My side of the story is, as you may/may not know. I got diagnosed with Lung Cancer a few months ago, so only have a few months/maybe a year left on this earth. So i sold up all my plugins to numerous people.

The Display Widgets plugin was sold to a company in California who made me sign a NDA. Probably due to the reasons you have highlighted. This is the only plugin i sold to this “guy”. He claims to have lots of “drupal” plugins and this was his first wordpress plugin. I bought this plugin for $15,000 and sold it for $20,000. They told me they was using it to advertise there toolbar, which i suppose you could use to search them up.

In regards to the 34 plugins and counting, that was at the peak of my career. I would buy plugins brand them up towards say a “web design” business on the /wp-admin/ and then sell the web design business along with the plugin with words like “Used by over 100,000+ websites” adding words like that etc inflated the price of the business by xyz and then i would simply flip it as quick as i could. WP Devs is now a defunct company for obvious reasons.

I apologise for any inconvenience i have caused in directly. I wish you the best of luck!.

Thanks

Kevin D

We know that Soiza bought the Display Widgets plugin from Steph and bought Ciprian’s Financial Calculator plugin. We know that Soiza communicates using the Kevin Danna email address. We also know that Mason Soiza owns the domains used for spamming in the “404 to 301” plugin. We also know that Steph sold her plugin for $15,000 to Mason Soiza. The above email is actually the first time I had heard the number mentioned. We also know that the wpdevs.co.uk website was only registered in April, so it’s not an old business from the “peak” of someone’s career.

So I’m going to go out on a limb here and say that Kevin Danna is actually Mason Soiza and based on Soiza’s public Facebook Profile, he is looking quite healthy.

Other Interests

According to a Whoisology search using Soiza’s email address, he owns the following domains:

onlineblackjackexpert.net (Active blackjack site)

0xd0d78w2.info (Listed with Google as serving up malware. See below)

Before Google blocked it, the 0xd0d78w2.info domain was serving up a site that claimed your computer was infected and tried to get you to call a “Microsoft” support line. It looked like this (courtesy of Archive.org):

Business Is Good

Soiza appears to live the high life. On his public Facebook profile, he posts that he attended the Monaco Grand Prix in May of this year.

In April he was at Dead Rabbit in New York ($16 a cocktail).

Last year someone with the name “Mason Reece Soiza” posted a photo of their 2012 Ferrari 458 Italia on rate-drive-co.uk. The thread was discussing an “idiot driver” driving a red Ferrari 458 Italia 2012 model. The license plate is “MA52 SON”.

Business appears to be booming for Soiza.

Wrapping It Up

Our team has assembled a lot of data on Mason Soiza from public sources. He has interests in a wide range of online business that include payday loans, gambling and ‘escort’ services, among others.

He has been active on black hat forums and has been banned from “Black Hat World” (username LinkRocket) and from WickedFire.com (username MasonSoiza). Soiza is active on Reddit as IIRR and moderates a a subreddit called /r/paydayloansnowcouk.

At this point we have confirmed that Soiza purchased the Financial Calculator plugin and the Display Widgets plugin and we have established a financial trail. He added a backdoor to the Display Widgets WordPress plugin to allow himself unlimited publishing access to sites running the plugin.

We also know that Soiza was involved in the spam that originated from the “404 to 301” plugin which he says he bought, although in that case the author has not yet confirmed the sale of the plugin. His escort website and payday loans websites were spammed from the “404 to 301” plugin.

If you are contacted by “Kevin Danna” or “Mason Soiza” and are a plugin author, we advise you to avoid all contact.

As always I welcome your feedback in the comments.

Thanks and Credits

A big thanks to Steph Wells, original author of the Display Widgets plugin who provided the initial financial data we needed to follow the money. Also a huge thanks to Ciprian Popescu, author of the Financial Calculator plugin, who also shared transaction data with me and a screenshot that confirmed Soiza uses the Kevin Danna alias. Both plugin authors worked with me on very short notice, so thank you!!

Also a huge thanks to our team who dropped everything and worked to rapidly build up a profile of Soiza. I’ve mentioned their names on the blog before, but just about everyone pitched in on this post, so you can hit our About page to see who they are. Special thanks to Matt Barry who recognized the connection between Soiza and the “404 to 301” plugin during our research.