WordPress users, beware! A fake WordPress site is distributing backdoored version of WordPress, which can steal credentials without the knowledge of users who installed it on their blog.  The fake site looks and sounds similar to the official site and it distributes an extra file with the backdoored or fake 2.6.4 version, which Sophos reported as a Trojan.

Alert: Fake WordPress Site!

The issue came into light when blogger Craig Murphy reported that he received a “High risk vulnerability for WordPress users” warning from the fake WordPress.org site, after he logged into WordPress dashboard. The screenshot of his dashboard shows that the warning prompts users to update WordPress to version 2.6.4, which is not yet released. The update link directly links to a page in the fake site.

The fake WordPress site is Wordpresz.org (currently down), which looks similar, as the last ‘s’ in WordPress.org has been replaced by a ‘z’. After a comparison check by the experts at Sophos, it was revealed that out of 638 files in the fake 2.6.4 version of WordPress, 637 were identical to the official 2.6.3 version. The only difference was the pluggable.php file, which attempts to send the stolen data to wordpresz.org/tuk.php. Now Sophos detects this file as Troj/WPHack-A, which is a Trojan that sends information back to a remote website.

So, how this can happen? Peter Westwood of WordPress responding to a request by The Register, said that it a exploit of old and vulnerable WordPress code. He said:

It looks like sites which have not upgraded to 2.6.3 are being exploited in an interesting way whereby a hacker, probably using an automated script, is hacking into sites with the vulnerability and changing the settings of one of the dashboard modules to point to a different feed thereby encouraging people to go to a different site which is offering a dodgy upgrade.

It is definitely an issue of vulnerable files in old versions of WordPress. After looking at the screenshot provided by Craig, I can guess that it is somehow related to Snoopy vulnerability. Because in Craig’s blog, the warning appeared on the area where feeds are shown in WordPress dashboard and the vulnerability in Snoopy can be exploited to inject arbitrary shell commands via a script calling the “fetch()” or “submit()” function with an URL controlled by the attacker.

So, what lesson we can take from this? Or how to avoid this kind of attacks by fraudsters? The simple solution is downloading and using WordPress installations and plugins from the official WordPress site. Then we must update our installation, as soon as a security release is announced by the official site. One more thing! Always keep your eyes and ears open. Check a link in your status bar, before you click!

Want to earn some money from your Twitter account? Take a look at a startup called ‘Be a Magpie‘, which pays twitterers for posting ad tweets (they call it magpie-tweets) in between their normal tweets. The magpie-tweets are published by them and all you have to do is give them your password. So, unlike TwittAd, which uses Twitter backgrounds for advertisement, ‘Be a Magpie’ directly advertises through tweets. I’m sure that you will check it!

How actually ‘Be a Magpie’ works? It allows advertisers to create ad campaigns with a message and some keywords. Then, the system publishes those ads in between regular tweets and you get paid for it! They publishes tweets, on behalf of you, that matches with the topics you are twittering about. How often they publishes the ad tweets or magpie-tweets? Well, it depends on your own choice. You can choose to have one magpie-tweet per 20 tweets or one magpie-tweet per tweet. The default is one magpie-tweet every five tweets. This is very important, as too many ad tweets may annoy your followers.

How much you can earn? Your earnings will depend on the total number of followers you have on Twitter. The more popular you are, the more advertisers will compete for a tweet in your timeline and ultimately you will earn more. The value of a magpie-tweet is assessed through automated bidding of the advertisers that compete for advertisements.They will pay you via PayPal, once your accumulated earnings reaches € 50.

So, how to start? Anyone over 18 years of age and a Twitter account can register as a publishers on the Magpie network. Simply enter your Twitter name in their sign-up page and you will get an idea about how much you could earn. If you are interested to go forward, just give them your Twitter password and start earning! Well, in order to get paid, you must have a PayPal account and I’m sure that you have one.

Yesterday, I came to know about Notifu, a new web service, with which you can send instant messages to an individual or to a group of people, know if your message was received or not and gather responses to make decisions. I found it interesting, because it is instant, interactive and perfect for sending group messages. Let’s take a look at what you will get there!

Notifu supports all major browsers and can send a message via Email, SMS, Phone, AIM, Gtalk, ICQ, MSN IM and Yahoo IM. With Notifu, you can also track the delivery of your messages. You can learn which recipients have acknowledged receiving the message and which have not. You can even use a sequence of addresses that should be tried in order to deliver a message. This feature is helpful in case of urgent messages.

Notifu also allows the sender to optionally specify one or more Response Choices, which makes group decisions easier and faster. for example, you can give a set of choices for when/where to meet or which design to select and get the results tallied instantly when each responds.

Right now, Notifu is 100% free (including sending SMS and voice messages to anywhere in the world); however, it is likely that in the near future they will have two editions – Free Edition and Pro Edition. So, this is a good time to use their service, as it is all free now!

In order to use Notifu, you must register yourself as a member. But, they also offers a “Try It Unregistered” option, that will enable you to send messages and understand the service without opening an account. However, as an Unregistered User you cannot access your Notifu messages and contacts after leaving the www.notifu.com. Still, it is a nice option to try!

Want some free money? Chitika is giving away a total of $200 to it’s publishers, for revealing the most interesting/cool/unique placements of Chitika | Premium ads. The first place winner will receive $100, and 2 runners-up will receive $50 each. All you have to do is find some interesting and unique placements of Chitika | Premium ads, that generates very high CTR/eCPM.

Chitika | Premium is a smart ad solution from Chitika that displays behaviorally targeted CPC ads to search engine traffic. According to Chitika, it was designed to be a highest performing ad unit (eCPM)  for it’s publishers. Right now, I am using it on some of my blogs and it really performs well. If your blog or website receives a good amount of search engine traffic, then Chitika | Premium will definitely help in maximizing your blog or website revenue.

So, if you are a publisher of Chitika ads, then this is a right opportunity to grab some free money! Just think about interesting placements of Chitika | Premium ads and implement them on your blogs or websites. Then send your entries with links to your interesting Premium ad placements to specialprojects@chitika.com. You can also drop your entries in the form of a comment on this official blog post. Just don’t forget to include one sentence or two about your ad placement and why it is unique or cool. All enrties must be received by 12:00pm US EDT on Monday, November 10. Hurry!