WordPress blogs targeted scam – beware of the adv.zip plugin!

Share this:

It looks like scammers are just getting smarter by the day. And this time, I had the ‘opportunity’ to be targeted by one that seems to be scamming wordpress-based blogs.

Here was how it all got started.

It seems that some guy posted a comment on my blog asking me if I was interested to have a banner ad placed on my blog for a fee. Hmmm. To be honest, I was initially skeptical but curious. So I decided to write an email across and see what it’s all about.

Then I got a response.

Hello,

Thanks for reply to our proposal!

I represent Bevesto Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160x600, 240x400, 300x250, 336x280, 468x60, 728x90.
What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

Best regards,�
Rayan Meyer.
site: www.bevestoagency.com
e-mail: [email protected]
phone: + (0)9 78 62 87 22

Seemed like a human response. But it seemed weird that an agency would want to put a banner for Lacoste on a tech website. So this started to sound a little fishy. I was aware that there were some scams going about with banner ad codes that was malicious. Therefore, I tried to search for the advertisement agency name “Bevesto Agency” on google. No results. Not even one! Wow. That triggered all the alarm bells in my head! There’s just no way that an advertisement agency with a contract with Lacoste does not have any references at all on Google.

At this point, this definitely points to a scam in progress. But I wanted to investigate further, so I replied my ‘rate’ and a proposal to put the banner in blog and then specifically asked for the banner art and the target link for the ad campaign. I’ve also send a screenshot of my blog in the email. And a response did come back.

Hi!
Unfortunately we can’t open the attached file. Please send the information in the e-mail message.

Best regards,�
Rayan Meyer.
site: www.bevestoagency.com
e-mail: [email protected]
phone: + (0)9 78 62 87 22

That’s probably because it was in PNG format (the default format for OS X screenshots) so that shows that there’s actually a human person replying to these exchange of emails! So I sent a jpg version and the following response came back.

Hi!

Thanks for reply to our proposal!
We like your price.
To pass to the banner control system follow the link http://webmaster.bevestoagency.com
To enter use the following data:

login: www.atpeaz.com
password: ###### 

You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: https://www.atpeaz.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made.

To get installation instruction for your site type pass to: http://docs.bevestoagency.com/wp_install
To activate your site you have to enter the code: UEP-EVH-###

What way of payment is suitable for you?

Best regards,�
Rayan Meyer.
site: www.bevestoagency.com
e-mail: [email protected]
phone: + (0)9 78 62 87 22

What? A wordpress plugin needs to be installed? That’s new. And it sure looks like an attempt to insert malicious code into my blog. So I decided to try and log in to the site and wanted to see the plug-in code. The following is the screenshot of the site where you are supposed to download the plugin. What ‘impressed’ me was that they actually created a profile for my account and also updating the price and banner type that I agreed upon.

And there’s even a help guide on how to install the plugin!

And as for the plugin, the filename is adv.zip and a quick search on Google finally provided some hits on this devious scam. Here is another similar account with an ‘ad agency’ of a different name, also claiming to serve Lacoste. Wow. The exact same modus operandi, but using a different ad agency and domain name. Check out the comments too and see more similar accounts of the same scam!

The curious me obviously decided to peek into the plugin code (and of course NOT installing it at all!!!)

Here are some parts of the code and what happens when I invoke them manually.

1. It’s built to easily allow different domain names to be used. Notice the ADV_SERVICE_DOMAIN variable used to easily change the url construct.

define('ADV_SERVICE_DOMAIN', 'bevestoagency.com');
define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key');

2. Here’s what returns when I manually construct and requested from the URL that supposedly activates the ad code.(http://webmaster.bevestoagency.com/key?action=init&key=UEP-EVH-###&domain=www.atpeaz.com). It’s basically an XML response with the agreed banner size. Smart. There’s actually a database of user preferences running at the scammer’s end.

<banner>
<key>true</key>
<width>728</width>
<height>90</height>
</banner>

3. Next the downloadBanners() function would be called and the following URL (http://webmaster.bevestoagency.com/key?action=getBannerList&key=UEP-EVH-###) would be constructed and invoke, providing the following XML response.

<banner>
<adv>lacoste</adv>
<mode>test</mode>
<banner_item>728x90/1.gif</banner_item>
<banner_item>728x90/2.gif</banner_item>
<banner_item>728x90/3.gif</banner_item>
<show_banner>lacoste/728x90/1.gif</show_banner>
</banner>

4. And based on that array of banner_item data, the code would then proceed to download to your server the following banners that seems to be valid image files. But try not to download them JUST in case they are malicious GIFs. I’ve looked at them using a sandboxed browser just in case. They seemed to be valid animated Lacoste ads, cheaply made but enough to fool a unsuspecting person.

http://docs.bevestoagency.com/lacoste/728x90/1.gif
http://docs.bevestoagency.com/lacoste/728x90/2.gif
http://docs.bevestoagency.com/lacoste/728x90/3.gif

Malicious GIF images?

And it seems that that’s all it does. Apart of course from downloading all that banners onto your blog and putting it up on your blog via the widget placement. Perhaps I’m missing something from reading the code. If anyone is interested to discover more to see if they can fully decipher the plugin codes, feel free to download it here (extracted to its php form already) from my dropbox. Just remember NOT TO INSTALL IT on your own WordPress blog!

But perhaps the intent was never really to put malicious code into your blog but to social engineer you into revealing your payment account details, and eventually trick you somehow into revealing the access to that account. Now that’s a scary thought. On this, I obviously do not want to pursue the email conversations further.

Well as the saying goes, when it’s too good to be true, it’s probably really too good to be true.

Update:

Interestingly enough, I still got an email from ‘Rayan Meyer’ to remove the plugin.

Hi!

Unfortunately, the advertiser rejected your site. He has already gained the required number of advertising platforms for this season. Sorry for trouble you. You can remove plug-in. As soon as our client resumes an advertising campaign we will contact you. Thank you and hope to cooperate with you in the future!

Best regards,
Rayan Meyer.
site: www.bevestoagency.com
e-mail: [email protected]
phone: + (0)9 78 62 87 22

 

Share this:

You may also like...

45 Responses

  1. chris says:

    Thanks for the heads-up. I was suspicious of their email from the start and decided to google the name ‘Bevesto Agency.’ Your research has confirmed my suspicions.

  2. Brian says:

    Hi Ken. I thought I’d add my url to this discussion. I tweeted your url just now. The more information on this, the better. Here is my story on the same scam:
    http://brianmahoney.ca/2011/11/wordpress-comment-scam/

  3. Ken Ng says:

    Thanks for sharing. Yup. the more information on this the better. I had trouble searching for “Bevesto Agency” at first too!

  4. MartinS says:

    Thank you for this. Saved me a load of time having received an email from RayanMeyer@bevesto. I’ll +1 when I get signed up!
    Cheers.

  5. Brian says:

    Same here. I had to get the exact combination of words to find the link that is in my post. I came across two advertising sites that are exactly the same and haven’t been updated since 2007. I also wrote to Izod Lacoste, to no avail. I’ll try Twitter next.

  6. Michelle says:

    Yup, got exactly the same email and response. Thanks for writing this up and saving me. (And thank goodness my husband suggested I do a search of the agency before going any further!)

  7. Jerome says:

    Thanks a lot! I have to deactivate the plugin right away. My webhost did a cleanup on my site for possible malawares.
    Good thing I googled Rayan Meyer and his bevesto ad agency. Sure enough I found him to be a professional scammer.

  8. colbert says:

    Lucky I saw your post before I went further on the scam. I had a similar email with a different name. > Mathis Gaillard at [email protected]

  9. joe says:

    I wish I found about this sooner 🙁

    I already activated the plugin, only then did I googled this and found your post 🙁

    I deactivated the plugin instantly, any suggestions what else should I do?

    thanks

  10. MessyEpicure says:

    Got the same scam from a Killian Blanchard at Jino Agency, [email protected]. Thanks for sniffing this out!

  11. Ken Ng says:

    Actually I don’t think the plugin causes any harm. At least that’s what I’m able to ascertain. But just make sure you don’t provide any personal information to the spammer anymore!

  12. Mark says:

    It’s possible that the plugin you install is completely clean. But once it’s installed and been running for a while to gain trust or lull people into complacency, they could then pump out a malicious update. Possibly.

  13. Jack Cola says:

    I got the same email – I moved my site to a sandboxed host, just to test it out, and see what happens.

    Maybe the plugin doesn’t actually do anything, it just makes it easier for people to manage the ads.

    It might not be a scam after all, all they are doing is mass emailing people, not paying, and getting the brand name out there – they’re doing a good job with all these comments.

  14. Brian says:

    It might not be a scam? I don’t think Izod Lacoste advertises this way, do you? If you check the ‘company’ sites, they haven’t been updated since 2007 and there is nothing there at all. It will be interesting to see what happens. My fear is that once you get the ads up, they will change what they lead to and, of course, never pay you. Let us know what happens, if anything ever does.

  15. TBM says:

    I can’t believe I fell for this. I’m usually so cautious, but googling up “lekkaagency” (Lorenzo Roche is the name my scammer used) did not bring up any bad results and neither did scanning the adv.zip files with kaspersky. So, I said to myself, “what the heck, if it doesn’t work, I’ll just remove the plugin and no harm done!”

    Problem is, I can’t remove the plugin. I can delete the widget, but the wordpress dashboard keeps showing the ADV tab in settings. How can I completely get rid of this?

  16. Ken Ng says:

    That’s weird. Disabling and deleting the Widget should remove it from WordPress since it still complies to WordPress’s plugin system.

  17. Brian says:

    I found this plugin: http://wordpress.org/extend/plugins/wp-security-scan/
    and I suppose there are more which check the integrity of your installation. I think Kaspersky would only look for a virus/computer link not a virus/WP installation link. It may not be a virus in the general sense. I posted a question on a PHP forum but have not had any response. Ken had done a good job of figuring out what it does so this is a surprise.

  18. Lynne says:

    Thanks for the info. I received the email from Killian Blanchard/[email protected], and was suspicious about a request to pay me for banner ads, since my website gets maybe 5 views a month. 😉 Glad I did a little investigating first!

  19. ColtForty5 says:

    I received one from him as well.

  20. TBM says:

    Thanks for all your efforts Ken. I logged in via FTP and deleted the ADV folder inside the plugins folder. No longer does it “appear” anywhere in my wp-admin area, but I wonder if it installed some kind of tracker elsewhere on the server . . . or if it’s trying to decrypt my password as we speak.

  21. Ken Ng says:

    Thankfully, I didn’t see any such codes in the plugin. To be honest, the code is not that sophisticated and seems to do very little. This brings me to suspect that either they are just phishing for email address, payment methods, etc for a more sophisticated attack later.

  22. Sumit says:

    Thank you everyone for your comments, one could have never figured out this was a scam should you guys have not done all the research.

    Even I was contacted by Jingo Agency – killian.

    Same modus operandi. !

  23. SLee says:

    I was also targeted by these scammers. I sent an email about this banner ad scam to Lacoste and am awaiting their reply.

  24. Cristian says:

    Thanks for your timely article, I just hope it wasn’t too late for me!! I’m normally on top of these type of scams, must have been the Xmas mood, I thought it was real 🙁 I actually downloaded the ADV plugin and uploaded to my blog but when I tried to activate it, it triggered a fatal error so I promptly deleted it using the wordpress plugin section.

    Do you think anything would have been run on my blog seeing as how it triggered a fatal error and the status of the plug in was Inactive?

    Am worried for the health of my blog now!! 🙁

    Thanks in advance 🙂

  25. Cristian says:

    In my instance this is what the email looked like:

    Hello,

    Thanks for reply to our proposal!

    I represent Lego Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
    What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

    Best regards,
    Julien Fontaine.
    site: http://www.lego-agency.com
    e-mail: [email protected]
    phone: + (0)9 78 62 78 88

    And when you google their agency, you do get a website. Granted it’s in French but it’s a full website so the illusion is complete 🙁

  26. Ken Ng says:

    Since the was an error, it’s likely that the plugin didn’t run. 🙂

  27. tc says:

    I was just about to be scammed. Pasting it here to save some others. Here is the email I got.

    I represent Nana Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
    What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

    Best regards,

    Matthieu Colin.
    site: http://www.nanaagency.com
    e-mail: [email protected]
    phone: + (0)9 78 62 57 86

  28. Jeremy T. says:

    Add the following details to this list for this scam:
    Sacha Charles @ Lana Agency (www.lanaagency.com)

  29. Karen Krueger says:

    I was suspicious of the email I got asking to advertise on my corvette site from Matthieu and the NanaAgency So I passed it by my husband. He didn’t see anything suspicious, so I wrote back with a price…and I got the same email saying yes the price was good… then to download a plugin because they don’t want to use Javascript. Well it’s been my experience, html works just fine, so there shouldn’t be a problem… But when they told me to login and download a plugin…my spider hairs stood up. I wrote back asking if they were looking for payment from me…and the response was no… just download the plugin. That’s where I stopped. I didn’t even want to look at the plugin let alone download it or install it.

    It is my advice, if you don’t know who you are dealing with, don’t click anything, don’t download, or install anything! Just my two cents.

    And THANK YOU for your article…. I was looking for something to substantiate my hunch. Sometimes plugins can have a call back home, or some type of back door to your site… it might not be obvious…I’m not a coder or programmer, just someone who has been burned in the past.

    Take care,
    KKrueger

  30. Ken Ng says:

    Glad this article helped in its own little way. 🙂

  31. moonpixel says:

    Thanks a lot for posting this! It does help many people to identify this as a scam. Currently it seems to be running under Valentin Lopez / Gera Agency …
    I have written some more details here:
    http://moonpixel.com/banner-scam-with-adv-plugin-for-wordpress-ads-from-paris-agency/

  32. SLee says:

    I emailed LaCoste to let them know what was going on and to double-check what we already knew to be true about the legitimacy of these emails. I got a reply from LaCoste confirming that these people are completely illegitimate.

  33. mcsrainbow says:

    Thank you very much, Ken Ng. If I haven’t see your article, maybe I have been cheated.
    I’m a Linux system administrator from China, I’d like to exchange friendship links with you. Do you mind?

    Here is the email I got from the scammer.

    Hello,

    Your site was found by Google. It fits our advertising requirements.

    I represent Gemerro Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
    What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

    Best regards,
    Victor Brunet.
    site: http://www.gemerro.com
    e-mail: [email protected]
    phone: + (0)9 78 62 93 11

  34. Sanwal says:

    i received the exact email and give them prices for advertising on my site and then they sent me a banner but whenever i tried t upload and activate that banner it gave me the following error.

    Plugin could not be activated because it triggered a fatal error.
    Fatal error: Cannot redeclare class AdvWidget in /home/user/public_html/wp-content/plugins/adv2/adv.php on line 32

    so i sent them email and they said try to upload in a fresh new directory under plugin folder so i did but kept getting the same error.

    then i was searching for the solution for that above mentioned error and came across your site. and got shocked. thanks for saving. i just removed the plugin from my site.

    Thanks for the saving the life. 🙂

    Cheers

  35. javabros says:

    Thanks for your post, I also have been contacted with this possible scammer but using the name Victor Brunet from Gemerro Agency claiming representing Lacoste company. Same like you, my suspicion arise when he instructed me to install wp plugin below :

    http://docs.gemerro.com/wp_install/

    Thanks for saving me from this scam

  36. Eastwood says:

    Contacted by Noah Vincent with the same method:

    Noah Vincent
    site: http://www.legretto.com
    e-mail: [email protected]
    phone: + (0)9 78 62 60 53

  37. marc says:

    they don’t seem to last very long, Trying to go to lego-agency.com now you get

    Oops! Google Chrome could not find lego-agency.com

  38. Ken Ng says:

    Yea, they do change to a ‘new agency’ pretty quick to avoid being listed as a scam when new victims searches the web for their name. Let’s just hope they don’t change the plugins name, so that most would also google for it when they are approached to install the plugin (if that’s not already a huge red alarm bell ringing!)

  39. Scam Advertiser email : [email protected]
    From us :
    Hi Noah,

    If you are interested in placing a banner please

    send in your banner(.jpg/.gif),
    text link or script only
    make a payment to book your spot instantly.

    Once you have completed these steps please get back to us and your banner will be live in 24 hours.

    Noah Vincent ✆ [email protected] to admin

    show details 1:39 PM (4 hours ago)

    Hi!
    Unfortunately, we can\’t place our banners through mentioned system. All our banners must be controlled by the plug-in, it is an advertiser require. If you agree with it,provide us with the available banner sizes, locations and prices, we\’ll choose the most suitable.
    – Hide quoted text –

    Best regards,
    Noah Vincent.
    site: http://www.legretto.com
    e-mail: [email protected]
    phone: + (0)9 78 62 60 53

  40. Paul says:

    Got the same from legretto…

    To pass to the banner control system follow the link http://webmaster.legretto.com
    To enter use the following data:

    login: website.com
    password: 1VKMM2CN

    You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: http://website.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made.

    To get installation instruction for your site type pass to: http://docs.legretto.com/wp_install
    To activate your site you have to enter the code: IFW-P3W-BUA

    What way of payment is suitable for you?

    Best regards,
    Noah Vincent.
    site: http://www.legretto.com
    e-mail: [email protected]
    phone: + (0)9 78 62 60 53

  41. johnny says:

    they fished me too
    They used the name of
    Guraci
    http://www.guraci.com/
    Samuel Charles.
    same Lacoste approach.
    I feel a fool I follwed up for too long, but not enough to get to install the plug in. Thank you for the post and all the comments

  42. johnny says:

    I tracked the IP of the email sender. It comes from IRAN. Does this suggest something to anyone in order to find out the reason why they are doing this?

  43. johnny says:

    Can anyone say what could happen if I install but not activate the link?

  44. Friedbeef says:

    Latest incarnation is Bizotto Agency. Beware!

  45. Nate says:

    I was scammed by this in February and forgot about until Google started blocking my site for distributing malware this week. Looks like it lays dormant and then activates the malicious code months later.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.