WordPress blogs targeted scam – beware of the adv.zip plugin!
Here was how it all got started.
It seems that some guy posted a comment on my blog asking me if I was interested to have a banner ad placed on my blog for a fee. Hmmm. To be honest, I was initially skeptical but curious. So I decided to write an email across and see what it’s all about.
Then I got a response.
Seemed like a human response. But it seemed weird that an agency would want to put a banner for Lacoste on a tech website. So this started to sound a little fishy. I was aware that there were some scams going about with banner ad codes that was malicious. Therefore, I tried to search for the advertisement agency name “Bevesto Agency” on google. No results. Not even one! Wow. That triggered all the alarm bells in my head! There’s just no way that an advertisement agency with a contract with Lacoste does not have any references at all on Google.Invalid mfunc tag syntax. The correct format is: <!-- W3TC_DYNAMIC_SECURITY mfunc PHP code --><!-- /mfunc W3TC_DYNAMIC_SECURITY --> or <!-- W3TC_DYNAMIC_SECURITY mfunc -->PHP code<!-- /mfunc W3TC_DYNAMIC_SECURITY -->.
At this point, this definitely points to a scam in progress. But I wanted to investigate further, so I replied my ‘rate’ and a proposal to put the banner in blog and then specifically asked for the banner art and the target link for the ad campaign. I’ve also send a screenshot of my blog in the email. And a response did come back.
Hi! Unfortunately we can’t open the attached file. Please send the information in the e-mail message. Best regards,� Rayan Meyer. site: www.bevestoagency.com e-mail: [email protected] phone: + (0)9 78 62 87 22
That’s probably because it was in PNG format (the default format for OS X screenshots) so that shows that there’s actually a human person replying to these exchange of emails! So I sent a jpg version and the following response came back.
Hi! Thanks for reply to our proposal! We like your price. To pass to the banner control system follow the link http://webmaster.bevestoagency.com To enter use the following data: login: www.atpeaz.com password: ###### You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: https://www.atpeaz.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made. To get installation instruction for your site type pass to: http://docs.bevestoagency.com/wp_install To activate your site you have to enter the code: UEP-EVH-### What way of payment is suitable for you? Best regards,� Rayan Meyer. site: www.bevestoagency.com e-mail: [email protected] phone: + (0)9 78 62 87 22
What? A wordpress plugin needs to be installed? That’s new. And it sure looks like an attempt to insert malicious code into my blog. So I decided to try and log in to the site and wanted to see the plug-in code. The following is the screenshot of the site where you are supposed to download the plugin. What ‘impressed’ me was that they actually created a profile for my account and also updating the price and banner type that I agreed upon.
And there’s even a help guide on how to install the plugin!
And as for the plugin, the filename is adv.zip and a quick search on Google finally provided some hits on this devious scam. Here is another similar account with an ‘ad agency’ of a different name, also claiming to serve Lacoste. Wow. The exact same modus operandi, but using a different ad agency and domain name. Check out the comments too and see more similar accounts of the same scam!
The curious me obviously decided to peek into the plugin code (and of course NOT installing it at all!!!)Invalid mfunc tag syntax. The correct format is: <!-- W3TC_DYNAMIC_SECURITY mfunc PHP code --><!-- /mfunc W3TC_DYNAMIC_SECURITY --> or <!-- W3TC_DYNAMIC_SECURITY mfunc -->PHP code<!-- /mfunc W3TC_DYNAMIC_SECURITY -->.
Here are some parts of the code and what happens when I invoke them manually.
1. It’s built to easily allow different domain names to be used. Notice the ADV_SERVICE_DOMAIN variable used to easily change the url construct.
define('ADV_SERVICE_DOMAIN', 'bevestoagency.com'); define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key');
2. Here’s what returns when I manually construct and requested from the URL that supposedly activates the ad code.(http://webmaster.bevestoagency.com/key?action=init&key=UEP-EVH-###&domain=www.atpeaz.com). It’s basically an XML response with the agreed banner size. Smart. There’s actually a database of user preferences running at the scammer’s end.
<banner> <key>true</key> <width>728</width> <height>90</height> </banner>
3. Next the downloadBanners() function would be called and the following URL (http://webmaster.bevestoagency.com/key?action=getBannerList&key=UEP-EVH-###) would be constructed and invoke, providing the following XML response.
<banner> <adv>lacoste</adv> <mode>test</mode> <banner_item>728x90/1.gif</banner_item> <banner_item>728x90/2.gif</banner_item> <banner_item>728x90/3.gif</banner_item> <show_banner>lacoste/728x90/1.gif</show_banner> </banner>
4. And based on that array of banner_item data, the code would then proceed to download to your server the following banners that seems to be valid image files. But try not to download them JUST in case they are malicious GIFs. I’ve looked at them using a sandboxed browser just in case. They seemed to be valid animated Lacoste ads, cheaply made but enough to fool a unsuspecting person.
http://docs.bevestoagency.com/lacoste/728x90/1.gif http://docs.bevestoagency.com/lacoste/728x90/2.gif http://docs.bevestoagency.com/lacoste/728x90/3.gif
Malicious GIF images?
And it seems that that’s all it does. Apart of course from downloading all that banners onto your blog and putting it up on your blog via the widget placement. Perhaps I’m missing something from reading the code. If anyone is interested to discover more to see if they can fully decipher the plugin codes, feel free to download it here (extracted to its php form already) from my dropbox. Just remember NOT TO INSTALL IT on your own WordPress blog!
But perhaps the intent was never really to put malicious code into your blog but to social engineer you into revealing your payment account details, and eventually trick you somehow into revealing the access to that account. Now that’s a scary thought. On this, I obviously do not want to pursue the email conversations further.
Well as the saying goes, when it’s too good to be true, it’s probably really too good to be true.
Interestingly enough, I still got an email from ‘Rayan Meyer’ to remove the plugin.
Hi! Unfortunately, the advertiser rejected your site. He has already gained the required number of advertising platforms for this season. Sorry for trouble you. You can remove plug-in. As soon as our client resumes an advertising campaign we will contact you. Thank you and hope to cooperate with you in the future! Best regards, Rayan Meyer. site: www.bevestoagency.com e-mail: [email protected] phone: + (0)9 78 62 87 22