Slashdot had an article earlier this month about a popular WordPress plugin being used to send spam. In this case, the attack was very unusual in that the plugin code itself was modified by a rogue developer to insert spam links in generated content. This plugin was then available for download via the official WordPress plugins directory.
Attacking hosting software is so valuable to spammers as it allows them to piggyback on the positive reputation earned by a legitimate website, in contrast to the neutral or even possibly negative reputation that they would have with a newly registered domain. It’s usually a lot easier for a spammer to steal and ruin someone’s hard-earned positive reputation than to earn a positive reputation on their own.
Earlier this year we discussed how wordpress-powered websites were being increasingly targeted by spammers. We’re all familiar with techniques such as exploiting software vulnerabilities, attempting to guess/crack/reset passwords, etc. The Slashdot article points out that even if you do your best to keep software up to date and manage your passwords, the software itself might be an attack vector. In horror movie cliche terms, sometimes the phone call really is coming from inside the house!