New Wordpress Hack Spam with Dangerous Links

We're blocking new email spam that links to dangerous files on hacked Wordpress sites. The subjects and content differ, but this could be the work of a single hacker. Subject lines (and type of scam) include:

  • Important E-mail Account Verification Notice (Email Phishing Scam)
  • Moscow 2015 (Fake dropbox)
  • FW: NEEDED MATERIALS (Malicious link)
  • Re: Popular Vagra web shop (Viagra)
  • Affin Bank Update required (Bank Phishing Scam)

This campaign is interesting because of the large variety. Read on to learn what this is and how to recognize it. Feel free to share this blog with your co-workers so they can also be on the lookout to avoid becoming a victim if your antispam program or service is not keeping up with it.

Get instantaneous updates on the latest email spam. Follow us on Twitter @SpamStopsHere

WordPress Hack Spam

WordPress is probably the most popular content management system out there. People use it to blog, create websites, etc. Because its use is so widespread, it is more vulnerable to "exploits", allowing scammers to hijack otherwise innocent computers for nefarious purposes.

Email spammers find such a weakness and hack into someone else's WordPress directory, installing or replacing a file there. Then they send out email with a link to that file. Usually, when the email recipient clicks the link, the file opens and redirects them to the spammer's website, which is somewhere else on the Internet. That's the file that does the damage (has a virus, fake login page, etc.)

How WordPress Hack Spam Works

How WordPress Hack Spam Works

This "hopscotch" approach is popular because it can fool some antispam programs that filter email with "click-me" links to known spam websites. They would block email that linked directly to the spammer's page. Instead, the spammer uses an intermediate link to a website that may seem harmless to antispam programs, but it takes the user somewhere dangerous.

How to Spot Wordpress Hack Spam

First of all, you should never click the link in an email, especially one that sounds urgent. That being said, to identify Wordpress (and some other) spam, hover over the link in your browser, you'll probably see that it points to a web page with "wp-admin", "wp-content", etc. in the pathname. Legitimate email does not link to directories like that.

Antispam programs that don't filter based on patterns and don't have live threat analysts often take a while to catch up with threats like this. We tend to find them very quickly because we have live threat analysts looking for spam, viruses and other email-borne threats 24/7/365.

Tuesday's Wave of WordPress Email Spam

Our professional threat analysts keep up with new threats 24/7/365, so they can identify such spam very quickly and block it. Then, future emails using that hacked page will also be blocked.

On Tuesday, we saw and blocked a wave of WordPress spam. Assuming it was from the same spammers (and not just a coincidence), this campaign had a lot of variety in subjects and content. Subject lines included the following:

  • Important E-mail Account Verification Notice
  • Moscow 2015
  • FW: NEEDED MATERIALS
  • Re: Popular Vagra web shop
  • Affin Bank Update required

We're blocking these, and probably the variations that will appear shortly, for our global customers using multiple filters. If you have to do your own spam filtering, you'll want to update your filters to reflect text patterns, WordPress URLs, etc.

As soon as we see a new WordPress hack spam, we add it to our pattern database and block future occurrences. The only way to do that is with a 24/7/365 live threat review team, like we've got.

For More Info

SpamStopsHere works differently from other anti-spam programs. It blocks 99.5% of spam while delivering over 99.999% of legitimate emails. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Our spam review team, along with our proprietary Spamalyzer 3.0, analyzes and blocks email threats for our customers 24/7/365. That's a claim almost no other antispam provider can make.

Click here for more about SpamStopsHere and our 24/7/365 live support


The "WordPress" name is owned by the WordPress Foundation. This article is for informational purposes. Nothing in this article is meant to suggest an affiliation with or endorsement by the WordPress Foundation or the WordPress open source project.

Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.