Scam warning for MyBB plugin developers

There is a new scam method being used since January 2016. New users with fresh accounts and very little posts are showing up in the official MyBB community forums or contacting MyBB plugin authors directly.

They are looking for custom plugins and promise to pay money above average prices for the plugins. They do accept the usual process in this case: The plugin is developed and the plugin author does provide a testforum based on MyBB to test the plugins abilities by the customer. After that, the coder is being paid and the plugin is delivered.

The new scam method has been reported by two plugin authors already and looks like this:

When the plugin is completed, the scammer does get an admin access for the specific forum to test the plugin. During this test, the scammer tries to hack MyBB to get access to the plugins PHP file. This activity looks like this in the admin logs:

MyBB Administrator log

The IP address displayed in the administrator log was in both cases an endpoint of the TOR network, which should be an alert for everybody in this case.

If he is successful, he’ll be able to download the plugin without paying the developer. The scammers account on the community forums will no longer be active and the plugin coder does never see the money promised by the user.

If the MyBB forum is secured and it is not possible for the scammer to download the plugin file directly, they’ll try to trick the plugin coder in allowing them PHP insertion. They’ll make up a story why this is absolutely needed for testing:

MyBB scammer

There are MyBB plugins which do allow PHP execution inside the MyBB templates for example. If you do allow PHP execution, a simple file listing of the files inside the plugin directory and another simple execution of the file_get_contents PHP method will suffice.

There are the following ways to protect yourself from these new scamming methods:

  1. Setup the plugin test on a different server where no other websites are hosted. If the scammer does get access to the system, he’ll not be able to get access to important data or your own websites.
  2. Always use the latest MyBB version without known security issues for plugin demonstrations.
  3. Never allow anybody you do not absolutely trust to execute PHP functions directly on your server. With PHP you can do almost everything on your server, especially if exec is allowed.
  4. Be careful if the scammer is new to the community or has no reputation. If the scammer is suspicious because he asks for PHP or FTP access, if he does not tell you which forum the plugin shall be for or if he does act strange during the tests (watch admin logs) better stop working and delete his admin access.
  5. Report the scammers in the official community forums so that they cannot scam anybody else. At least not with the same account.

It’s sad to see that there are people trying to scam plugin authors which are a useful part of the MyBB community. I hope that this post will save some authors. Happy coding!

Leave a Reply

Your email address will not be published.