WordPress blogs targeted scam – beware of the adv.zip plugin!

Ken Ng

Father. Technologist. Photographer. Blogger. Shares his thoughts on the everything technology that amuses him on a anytime he can while regularly abuses his Mac, iPhone and iPad. Devices with APS-C CMOS sensors seems to be a favourite passtime and his job involves selling mules to connect stuff.

You may also like...

48 Responses

  1. chris says:

    Thanks for the heads-up. I was suspicious of their email from the start and decided to google the name ‘Bevesto Agency.’ Your research has confirmed my suspicions.

  2. Brian says:

    Hi Ken. I thought I’d add my url to this discussion. I tweeted your url just now. The more information on this, the better. Here is my story on the same scam:
    http://brianmahoney.ca/2011/11/wordpress-comment-scam/

  3. Ken Ng says:

    Thanks for sharing. Yup. the more information on this the better. I had trouble searching for “Bevesto Agency” at first too!

  4. MartinS says:

    Thank you for this. Saved me a load of time having received an email from [email protected] I’ll +1 when I get signed up!
    Cheers.

  5. Brian says:

    Same here. I had to get the exact combination of words to find the link that is in my post. I came across two advertising sites that are exactly the same and haven’t been updated since 2007. I also wrote to Izod Lacoste, to no avail. I’ll try Twitter next.

  6. Michelle says:

    Yup, got exactly the same email and response. Thanks for writing this up and saving me. (And thank goodness my husband suggested I do a search of the agency before going any further!)

  7. Jerome says:

    Thanks a lot! I have to deactivate the plugin right away. My webhost did a cleanup on my site for possible malawares.
    Good thing I googled Rayan Meyer and his bevesto ad agency. Sure enough I found him to be a professional scammer.

  8. colbert says:

    Lucky I saw your post before I went further on the scam. I had a similar email with a different name. > Mathis Gaillard at [email protected]

  9. joe says:

    I wish I found about this sooner 🙁

    I already activated the plugin, only then did I googled this and found your post 🙁

    I deactivated the plugin instantly, any suggestions what else should I do?

    thanks

  10. MessyEpicure says:

    Got the same scam from a Killian Blanchard at Jino Agency, [email protected]. Thanks for sniffing this out!

  11. Ken Ng says:

    Actually I don’t think the plugin causes any harm. At least that’s what I’m able to ascertain. But just make sure you don’t provide any personal information to the spammer anymore!

  12. Mark says:

    It’s possible that the plugin you install is completely clean. But once it’s installed and been running for a while to gain trust or lull people into complacency, they could then pump out a malicious update. Possibly.

  13. Jack Cola says:

    I got the same email – I moved my site to a sandboxed host, just to test it out, and see what happens.

    Maybe the plugin doesn’t actually do anything, it just makes it easier for people to manage the ads.

    It might not be a scam after all, all they are doing is mass emailing people, not paying, and getting the brand name out there – they’re doing a good job with all these comments.

  14. Brian says:

    It might not be a scam? I don’t think Izod Lacoste advertises this way, do you? If you check the ‘company’ sites, they haven’t been updated since 2007 and there is nothing there at all. It will be interesting to see what happens. My fear is that once you get the ads up, they will change what they lead to and, of course, never pay you. Let us know what happens, if anything ever does.

  15. TBM says:

    I can’t believe I fell for this. I’m usually so cautious, but googling up “lekkaagency” (Lorenzo Roche is the name my scammer used) did not bring up any bad results and neither did scanning the adv.zip files with kaspersky. So, I said to myself, “what the heck, if it doesn’t work, I’ll just remove the plugin and no harm done!”

    Problem is, I can’t remove the plugin. I can delete the widget, but the wordpress dashboard keeps showing the ADV tab in settings. How can I completely get rid of this?

  16. Ken Ng says:

    That’s weird. Disabling and deleting the Widget should remove it from WordPress since it still complies to WordPress’s plugin system.

  17. Brian says:

    I found this plugin: http://wordpress.org/extend/plugins/wp-security-scan/
    and I suppose there are more which check the integrity of your installation. I think Kaspersky would only look for a virus/computer link not a virus/WP installation link. It may not be a virus in the general sense. I posted a question on a PHP forum but have not had any response. Ken had done a good job of figuring out what it does so this is a surprise.

  18. Lynne says:

    Thanks for the info. I received the email from Killian Blanchard/[email protected], and was suspicious about a request to pay me for banner ads, since my website gets maybe 5 views a month. 😉 Glad I did a little investigating first!

  19. ColtForty5 says:

    I received one from him as well.

  20. TBM says:

    Thanks for all your efforts Ken. I logged in via FTP and deleted the ADV folder inside the plugins folder. No longer does it “appear” anywhere in my wp-admin area, but I wonder if it installed some kind of tracker elsewhere on the server . . . or if it’s trying to decrypt my password as we speak.

  21. Ken Ng says:

    Thankfully, I didn’t see any such codes in the plugin. To be honest, the code is not that sophisticated and seems to do very little. This brings me to suspect that either they are just phishing for email address, payment methods, etc for a more sophisticated attack later.

  22. Sumit says:

    Thank you everyone for your comments, one could have never figured out this was a scam should you guys have not done all the research.

    Even I was contacted by Jingo Agency – killian.

    Same modus operandi. !

  23. SLee says:

    I was also targeted by these scammers. I sent an email about this banner ad scam to Lacoste and am awaiting their reply.

  24. Cristian says:

    Thanks for your timely article, I just hope it wasn’t too late for me!! I’m normally on top of these type of scams, must have been the Xmas mood, I thought it was real 🙁 I actually downloaded the ADV plugin and uploaded to my blog but when I tried to activate it, it triggered a fatal error so I promptly deleted it using the wordpress plugin section.

    Do you think anything would have been run on my blog seeing as how it triggered a fatal error and the status of the plug in was Inactive?

    Am worried for the health of my blog now!! 🙁

    Thanks in advance 🙂

  25. Cristian says:

    In my instance this is what the email looked like:

    Hello,

    Thanks for reply to our proposal!

    I represent Lego Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
    What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

    Best regards,
    Julien Fontaine.
    site: http://www.lego-agency.com
    e-mail: [email protected]
    phone: + (0)9 78 62 78 88

    And when you google their agency, you do get a website. Granted it’s in French but it’s a full website so the illusion is complete 🙁

  26. Ken Ng says:

    Since the was an error, it’s likely that the plugin didn’t run. 🙂

  27. tc says:

    I was just about to be scammed. Pasting it here to save some others. Here is the email I got.

    I represent Nana Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
    What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

    Best regards,

    Matthieu Colin.
    site: http://www.nanaagency.com
    e-mail: [email protected]
    phone: + (0)9 78 62 57 86

  28. Jeremy T. says:

    Add the following details to this list for this scam:
    Sacha Charles @ Lana Agency (www.lanaagency.com)

  29. Karen Krueger says:

    I was suspicious of the email I got asking to advertise on my corvette site from Matthieu and the NanaAgency So I passed it by my husband. He didn’t see anything suspicious, so I wrote back with a price…and I got the same email saying yes the price was good… then to download a plugin because they don’t want to use Javascript. Well it’s been my experience, html works just fine, so there shouldn’t be a problem… But when they told me to login and download a plugin…my spider hairs stood up. I wrote back asking if they were looking for payment from me…and the response was no… just download the plugin. That’s where I stopped. I didn’t even want to look at the plugin let alone download it or install it.

    It is my advice, if you don’t know who you are dealing with, don’t click anything, don’t download, or install anything! Just my two cents.

    And THANK YOU for your article…. I was looking for something to substantiate my hunch. Sometimes plugins can have a call back home, or some type of back door to your site… it might not be obvious…I’m not a coder or programmer, just someone who has been burned in the past.

    Take care,
    KKrueger

  30. Ken Ng says:

    Glad this article helped in its own little way. 🙂

  31. moonpixel says:

    Thanks a lot for posting this! It does help many people to identify this as a scam. Currently it seems to be running under Valentin Lopez / Gera Agency …
    I have written some more details here:
    http://moonpixel.com/banner-scam-with-adv-plugin-for-wordpress-ads-from-paris-agency/

  32. SLee says:

    I emailed LaCoste to let them know what was going on and to double-check what we already knew to be true about the legitimacy of these emails. I got a reply from LaCoste confirming that these people are completely illegitimate.

  33. mcsrainbow says:

    Thank you very much, Ken Ng. If I haven’t see your article, maybe I have been cheated.
    I’m a Linux system administrator from China, I’d like to exchange friendship links with you. Do you mind?

    Here is the email I got from the scammer.

    Hello,

    Your site was found by Google. It fits our advertising requirements.

    I represent Gemerro Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
    What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

    Best regards,
    Victor Brunet.
    site: http://www.gemerro.com
    e-mail: [email protected]
    phone: + (0)9 78 62 93 11

  34. Sanwal says:

    i received the exact email and give them prices for advertising on my site and then they sent me a banner but whenever i tried t upload and activate that banner it gave me the following error.

    Plugin could not be activated because it triggered a fatal error.
    Fatal error: Cannot redeclare class AdvWidget in /home/user/public_html/wp-content/plugins/adv2/adv.php on line 32

    so i sent them email and they said try to upload in a fresh new directory under plugin folder so i did but kept getting the same error.

    then i was searching for the solution for that above mentioned error and came across your site. and got shocked. thanks for saving. i just removed the plugin from my site.

    Thanks for the saving the life. 🙂

    Cheers

  35. javabros says:

    Thanks for your post, I also have been contacted with this possible scammer but using the name Victor Brunet from Gemerro Agency claiming representing Lacoste company. Same like you, my suspicion arise when he instructed me to install wp plugin below :

    http://docs.gemerro.com/wp_install/

    Thanks for saving me from this scam

  36. Eastwood says:

    Contacted by Noah Vincent with the same method:

    Noah Vincent
    site: http://www.legretto.com
    e-mail: [email protected]
    phone: + (0)9 78 62 60 53

  37. marc says:

    they don’t seem to last very long, Trying to go to lego-agency.com now you get

    Oops! Google Chrome could not find lego-agency.com

  38. Ken Ng says:

    Yea, they do change to a ‘new agency’ pretty quick to avoid being listed as a scam when new victims searches the web for their name. Let’s just hope they don’t change the plugins name, so that most would also google for it when they are approached to install the plugin (if that’s not already a huge red alarm bell ringing!)

  39. Scam Advertiser email : [email protected]
    From us :
    Hi Noah,

    If you are interested in placing a banner please

    send in your banner(.jpg/.gif),
    text link or script only
    make a payment to book your spot instantly.

    Once you have completed these steps please get back to us and your banner will be live in 24 hours.

    Noah Vincent ✆ [email protected] to admin

    show details 1:39 PM (4 hours ago)

    Hi!
    Unfortunately, we can\’t place our banners through mentioned system. All our banners must be controlled by the plug-in, it is an advertiser require. If you agree with it,provide us with the available banner sizes, locations and prices, we\’ll choose the most suitable.
    – Hide quoted text –

    Best regards,
    Noah Vincent.
    site: http://www.legretto.com
    e-mail: [email protected]
    phone: + (0)9 78 62 60 53

  40. Paul says:

    Got the same from legretto…

    To pass to the banner control system follow the link http://webmaster.legretto.com
    To enter use the following data:

    login: website.com
    password: 1VKMM2CN

    You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: http://website.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made.

    To get installation instruction for your site type pass to: http://docs.legretto.com/wp_install
    To activate your site you have to enter the code: IFW-P3W-BUA

    What way of payment is suitable for you?

    Best regards,
    Noah Vincent.
    site: http://www.legretto.com
    e-mail: [email protected]
    phone: + (0)9 78 62 60 53

  41. johnny says:

    they fished me too
    They used the name of
    Guraci
    http://www.guraci.com/
    Samuel Charles.
    same Lacoste approach.
    I feel a fool I follwed up for too long, but not enough to get to install the plug in. Thank you for the post and all the comments

  42. johnny says:

    I tracked the IP of the email sender. It comes from IRAN. Does this suggest something to anyone in order to find out the reason why they are doing this?

  43. johnny says:

    Can anyone say what could happen if I install but not activate the link?

  44. Friedbeef says:

    Latest incarnation is Bizotto Agency. Beware!

  45. Nate says:

    I was scammed by this in February and forgot about until Google started blocking my site for distributing malware this week. Looks like it lays dormant and then activates the malicious code months later.

  1. November 24, 2011

    […] They apparently tell you that they advertise for Lacoste. Once a pricing is decided, they request you to install a wordpress plugin for advertising. The installation of this plugin could compromise your wordpress based site. The plugin zip is named adv.zip and you *SHOULD NOT INSTALL THIS PLUGIN*. The following links elaborates on the details – http://www.atpeaz.com/index.php/2011/wordpress-blogs-targeted-scam-beware-of-the-adv-zip-plugin/ […]

  2. December 28, 2011
  3. January 17, 2012

Let me know what you think...