"A Pop Star Wants You in their New Video..."

Official Cardi B website plagued by spammers

We come bearing tidings of proper website maintenance and general housekeeping for singer Cardi B (or rather, for her web development team). At first glance, it appeared as though her website had been hacked a few days ago. But a look under the hood told a different story.

We were surprised to see the following lurking on the official Cardi B website:

Cardi spam

Click to enlarge

Ignore the privacy policy pop-up. Websites can’t get enough of those these days, thanks to GDPR. No, what we’re talking about is the peculiar blast of messed up spam text all over the page. Had it been compromised? Or was something else to blame?

Click to enlarge

Things certainly didn’t look great. Even worse for the singer, the front page of her site was touting similar spammy vids:

Video spam

Click to enlarge

I could be wrong, but I don’t think her fans are particularly interested in clickthroughs to fake movie streams and a football match involving Stoke City and Wigan Athletic. The spam links also found their way onto the photos page:

photo spam

Click to enlarge

Those are definitely photos, but not so much of a singer singing. What happened here?

It seems the site allows people to sign up as registered users, then post comments. Somewhere along the line, this feature has attracted the ire of spammers who figured out a way to not only plaster individual pages with spam links, but also feed said spam onto various main sections of the site as a whole.

We’ve posted at length regarding the correct treatment of user-posted comments, and we’ve also taken a look at how things can go wrong with plugins and third-party tools. When it comes to our own site, we keep a sharp eye on spam, moderate comments, and close comments sections after a certain amount of time. With the amount of junk floating around the web, you can’t afford to be lax where keeping a tidy online presence is concerned.

While the rogue pages in question seem to have been taken down, simply searching for the Cardi B website in Google reveals the damage done to the site’s search results:

google results

Click to enlarge

Spammy results such as the above can take a long time to filter out of search engines, and it isn’t great to have things like that sitting at the top of the searches alongside legitimate results.

more spam

Click to enlarge

There’s been a cleanup since Cardi B fans started talking about it on social media. Though you can still access the login page for existing user accounts on the site, it looks as though new sign-ups have been disabled so the site admins can bring everything back under control.


Click to enlarge

While a spam outbreak is never good, especially when it spills onto your home page, it appears the scammers had nothing but spam in mind—so no malware links were forthcoming. What was in evidence, however, was any number of cookie-cutter links to video streaming sites and YouTube clips.

movie stream site

Click to enlarge

With so many links spammed, and tedious work to be done to check each one individually, there’s no way to guarantee final destinations were entirely free from harm. If you think you might have ended up on something other than a YouTube video or movie sign-up page via any of these links, then it’s a good idea to run some anti-malware scans on your PC and ensure you’re clean.

As for Cardi B, hopefully the site admins will be able to keep a lid on the kind of spam outbreaks they’ve experienced over the last couple of days. Social features for users of your site are great, but those services need to be balanced with tight moderation and a limit on where said features can take you—even if it is Stoke City versus Wigan Athletic.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.