Sweet Captcha : WordPress plugin spread ads serving malware

A year ago I raved over the discovery of Sweet Captcha, a free captcha plugin for WordPress.

At the time, and until yesterday, the plugin appeared to do its task quietly, blocking thousands of spam comments on my blog publications.

Unfortunately, since at least Sunday, Sweet Captcha has been quietly serving pop-ups and pop-unders to visitors that click on links. The majority of these ads came from mediaupdate15.com, serving rogue malware, ransomware and other content.

I spent two days wondering whether my work station is infected, and ran extensive tests only to discover that all issues disappeared once Sweet Captcha was disabled, removed and deleted from the WordPress blogs.

In a cunning manner, the ads would set a cookie with a lifespan of several minutes, so that subsequent visits would not display ads immediately. That kept me from identifying the issue at first.

The Sweet Captcha incident is described in detail at the Sucuri blog, and the WordPress plugin has been removed from the WordPress.org repository. You can view a cached page here.

I hope the removal is permanent.

With the proliferation of WordPress as a publishing medium, one has to be very skeptical and careful about the use of plugins that can open a window to digital maladies. I no longer trust nor do I recommend Sweet Captcha; once the trust is gone, it’s gone for good.

Comments

  1. Yes, this is in fact the case as of today. We have experienced this with a number of our hosting clients and have required them to deactivate and uninstall the plugin.

  2. These guys at SweetCaptcha went to the dark side and should have there heads handed to them.
    I spent many ours trying to find what caused the odd pop-unders popups on my clients site.
    As far as I am concerned they can make up whatever story they want, but they can never be trusted again. I made sure my server company new about what was coded into it so they could shut down the use of the plugin across all their servers, and I suggest anyone out there should do the same, notify your host send them to the Sucuri page as proof and make sure the block the use of that plugin. The less people who can use the plugin the better, the goal shut down SweetCaptcha put them out of business completely. They must be shown you can’t try and trick your user base.

    Maybe when they have very few to no users they will get the point.

  3. We too chased our tails for a few days and never thought to check that sweet little plugin that turned to the dark side. Thanks!!! we are running clean again. Proves the old adage we saw recently in politics, trust but verify.

Speak Your Mind

*