…If sinners entice you, do not consent… If they say, “…We shall find all precious goods, we shall fill our houses with plunder; throw in your lot among us…” …do not walk in the way with them… for their feet run to evil, and they make haste to shed blood. …Such are the ways of everyone who is greedy for unjust gain; it takes away the life of its possessors.
Proverbs 1:8-19
Wouldn’t it be nice to be rich? Not just a little rich… I mean so rich that you can swim around in your money like Scrooge McDuck. You would be completely free from the shackles of debt, free to do anything you want in life.
The Internet and Scams
The creation and development of the Internet has spawned a multitude of ways for the clever and industrious to make that kind of money online. Though many online entrepreneurs have been able to use this technology in legitimate ways, the medium itself aids those who want to disguise their true identities to trick, manipulate, and otherwise harm unsuspecting prey.
The perpetrators masquerade in various forms. Sometimes they are poor or in trouble and need some kind of help. If you’re reading this post, you’ve probably heard of this scam involving a Nigerian needing help with international wire transfers. Sometimes they pretend to be representatives of the lottery, congratulating you on your winnings (as soon as you pay the processing fee).
Just like effective sales copy, these scams work because they promise to satisfy a desire of the reader — specifically in these cases, a desire for money.
They fail because they are over-the-top… and because they have been publicized.
Introducing the Banner Ad Scam
Savvy netizen that you are, you may think that these scams are so obvious that you would never fall for one. I thought the same thing until I got this email:
Direct ad sales like this do come along from time to time, so I wasn’t particularly alarmed by this email. And I want to make some money from blogging, so I sent back a request to see what kind of banner ad he wanted to run. I got this email in response:
The real logo
If you go to the website mentioned in the email, you will find banner-sized .gif images for Lacoste. In retrospect, they look pretty shabby compared to the sleek design of the official Lacoste website.
Not thinking clearly, I was still operating under the assumption that this might be legit, so I sent back a pricing offer. I expected some kind of negotiation, but there was none. (Some bloggers who have also been targeted by these people have reported that they sent back ridiculous offers, like $1,000, and they were also “approved.”) Martin replied with this:
I had never heard of an advertising company needing publishers (in this case bloggers) to install a special plugin to serve ads. It seemed highly suspicious that I needed to install this ADV plugin, so I started doing some research (which I should have already been doing).
Who is Behind the ADV Plugin Banner Ad Scam?
It turns out that the same person or people have been using the same modus operandi under various pseudonyms for at least a couple months. I got an email from “Martin Lefevre” from the “Rita Agency,” but other bloggers have received identical emails from:
- Killian Blanchard — Jino Agency
- Rayan Meyer — Bevesto Agency
- Martin Dumont — (agency name unknown)
- Jules Barbier — Marka Agency
- Oscar Meunier — Kervel Agency
- Noa Morin — Kara Agency
Regardless of the name used, the scammer sends out the same emails, pitching an ad deal for Lacoste and then requesting the blogger to install the ADV plugin. The scammers have a form website that they copy for each domain name, corresponding to each spurious company. The websites look like this:
What’s in it for the Scammer?
It’s unclear at this time what the end goal is for Martin Lefevre (or whatever her name is). If the scammer(s) are able to phish a blogger’s payment account details they might try to do something malicious with that information. Another possibility is some sort of exploit with the ADV plugin that they are using.
I’m not a PHP expert by any means and would not have been able to see exploits in the code even if there were any, but other bloggers reporting on this scam have shared that there doesn’t appear to be anything in the code as it is. Perhaps this was foolish on my part, but I ran the plugin on a sand-boxed WordPress site, and it seemed to do what the scammers said it would.
Of course, this is a huge security issue. Installing this third-party plugin opens a door to the scammers to potentially access the innards of your blog and do all kinds of nasty things with it.
Though social engineering and hackery are both possibilities, they are merely speculations. It is yet to be discovered for sure what these scammers are after.
Who’s at Risk?
Because their strategy requires the use of a third-party WordPress plugin, only bloggers who run a self-hosted WordPress blog are susceptible to this scam. Though if the exploit is through the plugin itself, it’s possible that the same kind of attack could be recreated for other content management systems like Joomla and Drupal.
I suspect WordPress has been targeted because of its popularity.
Of all the open source content management systems (CMS) available to bloggers, WordPress is by far the most popular. Famous WordPress developer Yoast recently released this infographic on WordPress usage, showing that as of March 2012 WordPress is used on 72.4 million sites worldwide. Compare this to Joomla’s usage on 1.6 million and Drupal usage on a mere 684,055 sites, and it becomes clear why the WordPress community is such a large target.
Do You Know Martin Lefevre?
Have you had any interaction with these scammers or other banner ad scams? Let us know your story in the comments below.
Update: My Site Was “Rejected”
A few days after Martin told me to install the plugin, I got this final email from him:
Another Update (1/26/2012):
As if any confirmation was needed, today I received an official word from LaCoste. After I was contacted by Martin Lefevre, I contacted LaCoste through the contact form on their website. Here’s what I wrote:
Dear Lacoste, I am a blogger and recently received an email from a “Martin Lefevre,” supposedly from an advertising company name “Rita Agency.” Lefevre offerd me an advertising deal displaying banner ads for Lacoste, however the situation seems illegitimate. I would like to know if you have any knowledge of Martin Lefevre or this Rita Agency. Please let me know if this is a true representative of your company. Thank you.
Nearly a month later, I finally got a response from a LaCoste representative:
Sorry for the late feedback regarding your email mid-December.
We had to investigate around the world with our digital agencies and legal team.
As you assumed, and you can read in the link below, this request was totally illegal and we thank you for letting us know.
So, there you have it.
Same email, different person – mine was from Lilian Marchand with Lemma Agency – website looks exactly the same as the one above, except for Lemma instead of Rita
Glad I did the research – it just didn’t make sense that a big brand like LaCoste would want to advertise on my little exercise blog…
Yeah, I just got Lillian from Lemma. It looked like spam so I googled and found your story. Thanks for putting the word out.
Same exact thing from Lillian Marchand with Lemma Agency.
It is not unusual for us to receive advertising solicitations, but to install a plugin is a big no-no for us.
I am curious however, what their end goal is.
I am tempted to set up on dummy site with dummy paypal to see if they pay.
I don’t think their scheme ever gets that far. From what I’ve read elsewhere, they just send out an email like the one I got saying that they don’t want to advertise with you anymore.
Yeah, I thought the same thing. Why would LaCoste want to advertise here? I wonder if the scammers are even looking to see what kind of bloggers they are contacting.
You are not alone my friend.. me too just got hit by the same type but with a name Lilian Marchand from lemma agency
Check out my story at
http://www.vettiofficer.com/2011/12/16/lacoste-banner-advertisment-scam/
thanks for the post
They are clearly operating under several pseudonyms. The more names we can post, the more likely we will be to help other unsuspecting bloggers from being duped.
I installed the plugin and then removed it, when they canceled the ad placement. Nothing bad happened.
Nothing bad happened on my sand-boxed site either. It seems that plugin isn’t inherently corrupt, but it could possibly create an easy way for the scammers to access your blog’s internals at some point down the road.
However, if that’s their plan, I don’t know why they would say that the plugin can be removed after LaCoste decides to advertise elsewhere.
I’m not really sure what their plan is. From my experience, and from the experience of others they have contacted, they don’t seem to actually be doing anything.
Anyway, I think the biggest thing is to help make the blogging community aware that this kind of thing is going on.
Please add the following identity to this scam’s details:
SACHA CHARLES @ LANA AGENCY (www.lanaagency.com)
And thank you for posting this article so I could find it BEFORE getting scammed by these people.
Hey, Jeremy,
Thanks for the additional info.
I’m glad you didn’t get scammed!
I also received the exact same scam letter from a Paul Lambert from the so called Dana agency ([email protected]) wanting to pay for an ad on my stickyrollers.com website for LaCoste. I sent a reply ; $5.00 per click….to see if the response will be for the plug-in.
Thanks for sharing. Let us know how it turns out.
Perhaps the scammers aren’t trying to scam the blogger by direct means, but by simply not paying up. Since it seems like they’re doing nothing, perhaps they are trying to actually advertise, with the intention of not paying the websites they get to host their banner ads. Could be as simple as that. The plug in could just be a way for them to change the banner ads to something they can actually get paid for via per click, or page views.
Thanks for your comment.
Hypothetically, that could be their scheme. But it doesn’t match my experience. None of the other reports I’ve read about it would match that hypothesis, either. The last email the scammers send advises the blogger that they can remove the plugin from the site. If they were planning to load different ads, they wouldn’t be able to do so if the plugin isn’t there anymore.
I was hit this week. Went as far as to install the plugin but not activate it before thinking I needed some more information about this. I was approached by Tristan Muller of the Gana Agency. Link to the same site. Worrisome. I hate that I even downloaded this on my computer at all. Have deleted everything but am now concerned. Glad to know that so far nothing has happened with you.
Hey, Wendy. Thanks for sharing. I’m glad you found out about this before anything bad happened. You might consider changing your password just to be safe.
I just got the same thing. The lemmaagency.com site no longer registers at all (I get redirected to a search page, where interestingly enough there is a wordpress support thread among the results. Probably worth checking out: http://wordpress.org/support/topic/i-installed-a-fake-plugin-sent-by-httplemmaagencycom
The gist of it is this:
“it certainly sounds fishy. without a way to see the plugin, we can only speculate on what this plugin may have done to your site.
It could have sent your admin username and password somewhere – so changing all passwords on the site may be a good idea.
It may have made changes to code in your WordPress core files, plugin files or theme files. Or added/ changed something in the database.
Changes might be masked on the front end to only be seen by people with a particular browser, or by search bots
replacing the files and database with the last known clean backups would be prudent in cases where a hacked site is suspected.”
Hey, Thom. Thanks for all the info. Did you discover that it was a scam before installing the plugin?
I got hit yesterday, same thing, different names, mine was Valentin Lopez at Gera Agency http://www.geraagency.com
Thanks
Hey guys, I was hit with the same email too yesterday. Only This time they’re using the name Gemerro Agency.
The person’s name is Victor Brunet and the link takes me to the same French site. So add another to the list. Glad I did my research before responding further.
Apparently they’re targeting everyone, because I run a sports blog.
Thanks!
Hey, Scott. Thanks for your comment. These guys seem to be continually changing their names, but it’s always the same song and dance.
Contact by Noah Vincent via the same method:
Noah Vincent
site: http://www.legretto.com
e-mail: [email protected]
phone: + (0)9 78 62 60 53
Contacted by the same person Noah Vincent,
Already do as per instruction, and plugin was installed, 12 hours later, decided to check on my website, it redirects them to unknown website.
Goto admin, deactivate the plugin and restored back to normal.
Thanks for this information. Perhaps that is their scheme: to redirect visitors to another site.
Hopefully everything is back to normal for you.
Add mine to the list:
I actually went as far as trying to activate and got an error from my blog stating
Fatal error: Cannot redeclare class AdvWidget in /home/mysite/public_html/wp-content/plugins/adv/adv.php on line 32
Thankfully it did not activate. I’ve emailed William Joly of Leggeto.com (a domain just registered on Feb 9th (I was contacted on Feb 10th, wow)
http://who.is/whois/leggeto.com/
I will tweet out your atricle and let the world know! SCAM!
Hey, Marc. Thanks for the additional info.
Ugh, I also fell for this.
Contact: Noah Vincent Email: [email protected]
I installed the plugin as all seemed legit and got the same reply back:
Hi!
Unfortunately, the advertiser rejected your site. He has already gained the required number of advertising platforms for this season. Sorry for trouble you. You can remove plug-in. As soon as our client resumes an advertising campaign we will contact you. Thank you and hope to cooperate with you in the future!
I am sharing and will also blog. I feel like contacting them back ugh
Hey, Nichol. I emailed them back but got no response. Let us know if you hear anything.
Hi, I got the same email but from a person called Noah Vincent and Legretto Agency… I installed the plugin and afterwards did a proper research (sight). Afterwards, I uninstalled it and called my hosting company. Hopefully, everything will be ok.
I hope so, too!
My email was from Samuel Blanchard here is the email
I represent Rezatta Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.
I downloaded the plugin and then I tried to activate it but it didn’t work.
I have since deleted the plugin
I hope that i didn’t cause any problems by downloading it…
Hey, David. Thanks for sharing. You might want to change all your passwords just to be safe.
Received the same e-mail, luckily started doind research on time and immediately trashed the e-mails. Mine came from William Joly, saying he works for a company called Leggeto.
Still no sense from anyone on what the angle is here, huh? Why are they doing this? What is this plugin actually doing to our blogs and machines? Anyone have any insight?
Hey, Wendy. DJPianz commented above that his site was redirecting visitors to another site when he had the plugin installed. Perhaps that is their scheme. With scams like this, it is difficult to determine the motivations behind the scammers.
Do you have any other theories?
The same thing in here, mine was called Noah Vincent from Legretto Agency. I’m glad I did my research before I sent them my bank account details!
Hi:
Thanks for posting this information.
I got the same email from Lillian Marchand with Lemma Agency. Since I had recently negotiated a successful transaction from a legitimate invitation to have text links on one of my websites, it never occurred to me that this similar appearing invitation might be a scam. Luckily when I wrote back asking them to make an offer, the email bounced. So I never got as far as a negotiation and the request to install some plug in.
Thanks so much for writing about this here and alerting me to that potential. I will definitely be on the look out for it in the future.
I was contacted by someone at lezetta.com with the same pitch. The Sites are similar to anacrouse.com
which appears to be a vaild concern. I was able to reach R DiMauro through anacrouse.com.
IP address tracking has indicated the scammers might be based in Iran.
I received an email, too, from Erwan Brun of Bizotto Agency, we agreed on the price of the banner, and he made me install the adv.zip plugin. However, after I installed the plugin the other day, I never received a reply from him again. This made me doubtful and that’s how I came to know your post now when I search for the adv plugin. Now I had the plugin removed. I asked my web host provider to check my site, and she said my site is clean. Thank heavens! This is really scary!
Latest incarnation of this scam, they are calling themselves Bizotto Agency. Beware!
You can add one more name and agency to that list… Thibault Lucas with the Nettero Agency.
Now they are using Burgoni Agency as the name of their company. Everything else is the same.
I got the Burgoni Agency email as well from one Nicolas Gauthier. After his initial inquiry, which seemed legitimate, I set up Cranky Ads on my website and got it all prepared.
Got back to him yesterday with a price, which he said they were very happy with. Then followed instructions on how to install the adv.zip plug-in. I was a bit worried about installing a third-party plug-in, so checked the WordPress.org support forum and couldn’t find any info.
Then I came across this article – Thank heavens!
Will now block sender and tweet about this scam. At least if any legitimate advertisers approach me, I have the plug-in in place. Every cloud…..
Hey, Anne. Thanks for your comment.
I’m glad you found out about these guys before they were able to do any damage to your site.
How is Cranky Ads working for you?
I haven’t put Cranky Ads to the test yet, as I only installed it on my site in order to accommodate the Burgoni Agency. However, it was quite easy to install and once you’ve got it and set up a PayPal business account, it should run itself.
There seems to be a FAQ section, and the guy who runs it is very helpful and hands-on. I’m so glad I did this, otherwise I might have gone straight ahead and installed the spammer’s plug-in, assuming this was normal practice.
Hope everyone else’s sites are okay. Have tweeted and shared this article on Facebook. I’ll stop there before I really say what I think…
Yep, got an email last week from “Nicolas Gauthier” saying he’d like to buy a banner ad. I actually did sell a text ad to a random inquiry two years ago that I’m still running, so it was certainly possible that someone might want to run a small campaign on my site.
I quoted what I thought was a little on the high side, was pleasantly surprised it was accepted, and set about preparing to run the banner. I logged into their site and read the instructions, but thought it was odd that I’d need to install a wordpress plugin just to run a banner ad… so I googled for Burgoni and scam.
And then I found this page, and am commenting right now. Can anything be done about this? I’m submitting a fraud complaint to privacyprotect (the listed registrar of the site), but don’t really know what else can be done save for publicizing this page (which I’m about to do).
Erwan Brun – Bizotto Agency
I did get the same email and asked me to install the same plug-in. After I have installed it, I never heard from them again. This time the name is Eliot Morin of Nelly Agency. I checked the agency after that (I should have done it before installing the plug-in!) and they don’t exist. Same thing, they said its for Lacoste banners etc etc.
Thanks for sharing, Ana.
OMG I totally fell for the scam too in January. Mine was from Tristan Muller from the Gana Agency. I installed the ADV plugin and just kind of forgot about it, till now. I just migrated my site and I was going thru my plugins. I didn’t know what the ADV plugin was, googled it and bam! This IS really scary stuff. Thanks for posting this info.