WordPress blogs targeted scam – beware of the adv.zip plugin!
It looks like scammers are just getting smarter by the day. And this time, I had the ‘opportunity’ to be targeted by one that seems to be scamming wordpress-based blogs.
Here was how it all got started.
It seems that some guy posted a comment on my blog asking me if I was interested to have a banner ad placed on my blog for a fee. Hmmm. To be honest, I was initially skeptical but curious. So I decided to write an email across and see what it’s all about.
Then I got a response.
Hello, Thanks for reply to our proposal! I represent Bevesto Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160x600, 240x400, 300x250, 336x280, 468x60, 728x90. What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month. Best regards,� Rayan Meyer. site: www.bevestoagency.com e-mail: [email protected] phone: + (0)9 78 62 87 22
Seemed like a human response. But it seemed weird that an agency would want to put a banner for Lacoste on a tech website. So this started to sound a little fishy. I was aware that there were some scams going about with banner ad codes that was malicious. Therefore, I tried to search for the advertisement agency name “Bevesto Agency” on google. No results. Not even one! Wow. That triggered all the alarm bells in my head! There’s just no way that an advertisement agency with a contract with Lacoste does not have any references at all on Google.
At this point, this definitely points to a scam in progress. But I wanted to investigate further, so I replied my ‘rate’ and a proposal to put the banner in blog and then specifically asked for the banner art and the target link for the ad campaign. I’ve also send a screenshot of my blog in the email. And a response did come back.
Hi! Unfortunately we can’t open the attached file. Please send the information in the e-mail message. Best regards,� Rayan Meyer. site: www.bevestoagency.com e-mail: [email protected] phone: + (0)9 78 62 87 22
That’s probably because it was in PNG format (the default format for OS X screenshots) so that shows that there’s actually a human person replying to these exchange of emails! So I sent a jpg version and the following response came back.
Hi! Thanks for reply to our proposal! We like your price. To pass to the banner control system follow the link http://webmaster.bevestoagency.com To enter use the following data: login: www.atpeaz.com password: ###### You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: http://www.atpeaz.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made. To get installation instruction for your site type pass to: http://docs.bevestoagency.com/wp_install To activate your site you have to enter the code: UEP-EVH-### What way of payment is suitable for you? Best regards,� Rayan Meyer. site: www.bevestoagency.com e-mail: [email protected] phone: + (0)9 78 62 87 22
What? A wordpress plugin needs to be installed? That’s new. And it sure looks like an attempt to insert malicious code into my blog. So I decided to try and log in to the site and wanted to see the plug-in code. The following is the screenshot of the site where you are supposed to download the plugin. What ‘impressed’ me was that they actually created a profile for my account and also updating the price and banner type that I agreed upon.
And there’s even a help guide on how to install the plugin!
And as for the plugin, the filename is adv.zip and a quick search on Google finally provided some hits on this devious scam. Here is another similar account with an ‘ad agency’ of a different name, also claiming to serve Lacoste. Wow. The exact same modus operandi, but using a different ad agency and domain name. Check out the comments too and see more similar accounts of the same scam!
The curious me obviously decided to peek into the plugin code (and of course NOT installing it at all!!!)
Here are some parts of the code and what happens when I invoke them manually.
1. It’s built to easily allow different domain names to be used. Notice the ADV_SERVICE_DOMAIN variable used to easily change the url construct.
define('ADV_SERVICE_DOMAIN', 'bevestoagency.com');
define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key');
2. Here’s what returns when I manually construct and requested from the URL that supposedly activates the ad code.(http://webmaster.bevestoagency.com/key?action=init&key=UEP-EVH-###&domain=www.atpeaz.com). It’s basically an XML response with the agreed banner size. Smart. There’s actually a database of user preferences running at the scammer’s end.
<banner> <key>true</key> <width>728</width> <height>90</height> </banner>
3. Next the downloadBanners() function would be called and the following URL (http://webmaster.bevestoagency.com/key?action=getBannerList&key=UEP-EVH-###) would be constructed and invoke, providing the following XML response.
<banner> <adv>lacoste</adv> <mode>test</mode> <banner_item>728x90/1.gif</banner_item> <banner_item>728x90/2.gif</banner_item> <banner_item>728x90/3.gif</banner_item> <show_banner>lacoste/728x90/1.gif</show_banner> </banner>
4. And based on that array of banner_item data, the code would then proceed to download to your server the following banners that seems to be valid image files. But try not to download them JUST in case they are malicious GIFs. I’ve looked at them using a sandboxed browser just in case. They seemed to be valid animated Lacoste ads, cheaply made but enough to fool a unsuspecting person.
http://docs.bevestoagency.com/lacoste/728x90/1.gif http://docs.bevestoagency.com/lacoste/728x90/2.gif http://docs.bevestoagency.com/lacoste/728x90/3.gif
Malicious GIF images?
And it seems that that’s all it does. Apart of course from downloading all that banners onto your blog and putting it up on your blog via the widget placement. Perhaps I’m missing something from reading the code. If anyone is interested to discover more to see if they can fully decipher the plugin codes, feel free to download it here (extracted to its php form already) from my dropbox. Just remember NOT TO INSTALL IT on your own WordPress blog!
But perhaps the intent was never really to put malicious code into your blog but to social engineer you into revealing your payment account details, and eventually trick you somehow into revealing the access to that account. Now that’s a scary thought. On this, I obviously do not want to pursue the email conversations further.
Well as the saying goes, when it’s too good to be true, it’s probably really too good to be true.
Update:
Interestingly enough, I still got an email from ‘Rayan Meyer’ to remove the plugin.
Hi! Unfortunately, the advertiser rejected your site. He has already gained the required number of advertising platforms for this season. Sorry for trouble you. You can remove plug-in. As soon as our client resumes an advertising campaign we will contact you. Thank you and hope to cooperate with you in the future! Best regards, Rayan Meyer. site: www.bevestoagency.com e-mail: [email protected] phone: + (0)9 78 62 87 22
Please Google +1 my article if you think it was useful. Thanks!
Check out the following posts too!
-
Hi Ken. I thought I’d add my url to this discussion. I tweeted your url just now. The more information on this, the better. Here is my story on the same scam:
http://brianmahoney.ca/2011/11/wordpress-comment-scam/ -
Lucky I saw your post before I went further on the scam. I had a similar email with a different name. > Mathis Gaillard at [email protected]
-
Got the same scam from a Killian Blanchard at Jino Agency, [email protected]. Thanks for sniffing this out!
-
I got the same email – I moved my site to a sandboxed host, just to test it out, and see what happens.
Maybe the plugin doesn’t actually do anything, it just makes it easier for people to manage the ads.
It might not be a scam after all, all they are doing is mass emailing people, not paying, and getting the brand name out there – they’re doing a good job with all these comments.
-
It might not be a scam? I don’t think Izod Lacoste advertises this way, do you? If you check the ‘company’ sites, they haven’t been updated since 2007 and there is nothing there at all. It will be interesting to see what happens. My fear is that once you get the ads up, they will change what they lead to and, of course, never pay you. Let us know what happens, if anything ever does.
-
#15 written by TBM 1 year ago
I can’t believe I fell for this. I’m usually so cautious, but googling up “lekkaagency” (Lorenzo Roche is the name my scammer used) did not bring up any bad results and neither did scanning the adv.zip files with kaspersky. So, I said to myself, “what the heck, if it doesn’t work, I’ll just remove the plugin and no harm done!”
Problem is, I can’t remove the plugin. I can delete the widget, but the wordpress dashboard keeps showing the ADV tab in settings. How can I completely get rid of this?
-
I found this plugin: http://wordpress.org/extend/plugins/wp-security-scan/
and I suppose there are more which check the integrity of your installation. I think Kaspersky would only look for a virus/computer link not a virus/WP installation link. It may not be a virus in the general sense. I posted a question on a PHP forum but have not had any response. Ken had done a good job of figuring out what it does so this is a surprise. -
Thanks for the info. I received the email from Killian Blanchard/[email protected], and was suspicious about a request to pay me for banner ads, since my website gets maybe 5 views a month.
Glad I did a little investigating first! -
#20 written by TBM 1 year ago
-
I was also targeted by these scammers. I sent an email about this banner ad scam to Lacoste and am awaiting their reply.
-
Thanks for your timely article, I just hope it wasn’t too late for me!! I’m normally on top of these type of scams, must have been the Xmas mood, I thought it was real
I actually downloaded the ADV plugin and uploaded to my blog but when I tried to activate it, it triggered a fatal error so I promptly deleted it using the wordpress plugin section.Do you think anything would have been run on my blog seeing as how it triggered a fatal error and the status of the plug in was Inactive?
Am worried for the health of my blog now!!
Thanks in advance
-
In my instance this is what the email looked like:
Hello,
Thanks for reply to our proposal!
I represent Lego Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner â top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.Best regards,
Julien Fontaine.
site: http://www.lego-agency.com
e-mail: [email protected]
phone: + (0)9 78 62 78 88And when you google their agency, you do get a website. Granted it’s in French but it’s a full website so the illusion is complete
-
#27 written by tc 1 year ago
I was just about to be scammed. Pasting it here to save some others. Here is the email I got.
I represent Nana Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.Best regards,
Matthieu Colin.
site: http://www.nanaagency.com
e-mail: [email protected]
phone: + (0)9 78 62 57 86 -
#29 written by Karen Krueger 1 year ago
I was suspicious of the email I got asking to advertise on my corvette site from Matthieu and the NanaAgency So I passed it by my husband. He didn’t see anything suspicious, so I wrote back with a price…and I got the same email saying yes the price was good… then to download a plugin because they don’t want to use Javascript. Well it’s been my experience, html works just fine, so there shouldn’t be a problem… But when they told me to login and download a plugin…my spider hairs stood up. I wrote back asking if they were looking for payment from me…and the response was no… just download the plugin. That’s where I stopped. I didn’t even want to look at the plugin let alone download it or install it.
It is my advice, if you don’t know who you are dealing with, don’t click anything, don’t download, or install anything! Just my two cents.
And THANK YOU for your article…. I was looking for something to substantiate my hunch. Sometimes plugins can have a call back home, or some type of back door to your site… it might not be obvious…I’m not a coder or programmer, just someone who has been burned in the past.
Take care,
KKrueger -
Thanks a lot for posting this! It does help many people to identify this as a scam. Currently it seems to be running under Valentin Lopez / Gera Agency …
I have written some more details here:
http://moonpixel.com/banner-scam-with-adv-plugin-for-wordpress-ads-from-paris-agency/ -
I emailed LaCoste to let them know what was going on and to double-check what we already knew to be true about the legitimacy of these emails. I got a reply from LaCoste confirming that these people are completely illegitimate.
-
Thank you very much, Ken Ng. If I haven’t see your article, maybe I have been cheated.
I’m a Linux system administrator from China, I’d like to exchange friendship links with you. Do you mind?Here is the email I got from the scammer.
—
Hello,Your site was found by Google. It fits our advertising requirements.
I represent Gemerro Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.Best regards,
Victor Brunet.
site: http://www.gemerro.com
e-mail: [email protected]
phone: + (0)9 78 62 93 11 -
i received the exact email and give them prices for advertising on my site and then they sent me a banner but whenever i tried t upload and activate that banner it gave me the following error.
Plugin could not be activated because it triggered a fatal error.
Fatal error: Cannot redeclare class AdvWidget in /home/user/public_html/wp-content/plugins/adv2/adv.php on line 32so i sent them email and they said try to upload in a fresh new directory under plugin folder so i did but kept getting the same error.
then i was searching for the solution for that above mentioned error and came across your site. and got shocked. thanks for saving. i just removed the plugin from my site.
Thanks for the saving the life.
Cheers
-
#35 written by javabros 1 year ago
Thanks for your post, I also have been contacted with this possible scammer but using the name Victor Brunet from Gemerro Agency claiming representing Lacoste company. Same like you, my suspicion arise when he instructed me to install wp plugin below :
http://docs.gemerro.com/wp_install/
Thanks for saving me from this scam
-
#36 written by Eastwood 1 year ago
Contacted by Noah Vincent with the same method:
Noah Vincent
site: http://www.legretto.com
e-mail: [email protected]
phone: + (0)9 78 62 60 53 -
Yea, they do change to a ‘new agency’ pretty quick to avoid being listed as a scam when new victims searches the web for their name. Let’s just hope they don’t change the plugins name, so that most would also google for it when they are approached to install the plugin (if that’s not already a huge red alarm bell ringing!)
-
Scam Advertiser email : [email protected]
From us :
Hi Noah,If you are interested in placing a banner please
send in your banner(.jpg/.gif),
text link or script only
make a payment to book your spot instantly.Once you have completed these steps please get back to us and your banner will be live in 24 hours.
Noah Vincent ✆ [email protected] to admin
show details 1:39 PM (4 hours ago)
Hi!
Unfortunately, we can\’t place our banners through mentioned system. All our banners must be controlled by the plug-in, it is an advertiser require. If you agree with it,provide us with the available banner sizes, locations and prices, we\’ll choose the most suitable.
- Hide quoted text -Best regards,
Noah Vincent.
site: http://www.legretto.com
e-mail: [email protected]
phone: + (0)9 78 62 60 53 -
#40 written by Paul 1 year ago
Got the same from legretto…
To pass to the banner control system follow the link http://webmaster.legretto.com
To enter use the following data:login: website.com
password: 1VKMM2CNYou should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: http://website.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made.
To get installation instruction for your site type pass to: http://docs.legretto.com/wp_install
To activate your site you have to enter the code: IFW-P3W-BUAWhat way of payment is suitable for you?
Best regards,
Noah Vincent.
site: http://www.legretto.com
e-mail: [email protected]
phone: + (0)9 78 62 60 53 -
#41 written by johnny 1 year ago
they fished me too
They used the name of
Guraci
http://www.guraci.com/
Samuel Charles.
same Lacoste approach.
I feel a fool I follwed up for too long, but not enough to get to install the plug in. Thank you for the post and all the comments -
Leave a Reply
- Comment Feed for this Post
Thanks for the heads-up. I was suspicious of their email from the start and decided to google the name ‘Bevesto Agency.’ Your research has confirmed my suspicions.