SLee and Topher

Two Guys on Gaming, Tech, and the World

Warning Bloggers: Beware of Blog Banner Ad Scam with ADV Plugin

By 58 Comments

…If sinners entice you, do not consent… If they say, “…We shall find all precious goods, we shall fill our houses with plunder; throw in your lot among us…” …do not walk in the way with them… for their feet run to evil, and they make haste to shed blood. …Such are the ways of everyone who is greedy for unjust gain; it takes away the life of its possessors.

Proverbs 1:8-19

Wouldn’t it be nice to be rich? Not just a little rich… I mean so rich that you can swim around in your money like Scrooge McDuck. You would be completely free from the shackles of debt, free to do anything you want in life.

The Internet and Scams

The creation and development of the Internet has spawned a multitude of ways for the clever and industrious to make that kind of money online. Though many online entrepreneurs have been able to use this technology in legitimate ways, the medium itself aids those who want to disguise their true identities to trick, manipulate, and otherwise harm unsuspecting prey.

The perpetrators masquerade in various forms. Sometimes they are poor or in trouble and need some kind of help. If you’re reading this post, you’ve probably heard of this scam involving a Nigerian needing help with international wire transfers. Sometimes they pretend to be representatives of the lottery, congratulating you on your winnings (as soon as you pay the processing fee).

Just like effective sales copy, these scams work because they promise to satisfy a desire of the reader — specifically in these cases, a desire for money.

They fail because they are over-the-top… and because they have been publicized.

Introducing the Banner Ad Scam

Savvy netizen that you are, you may think that these scams are so obvious that you would never fall for one. I thought the same thing until I got this email:

From: Martin Lefevre <mlefevre@ritaagency.com> Subject: Message Body: Hi, We are looking for new advertisement platforms and we are interested in your site www.sleeandtopher.com. Is it possible to place banner on your site on a fee basis? Best regards, Martin Lefevre

Direct ad sales like this do come along from time to time, so I wasn’t  particularly alarmed by this email. And I want to make some money from blogging, so I sent back a request to see what kind of banner ad he wanted to run. I got this email in response:

Hello, Thanks for reply to our proposal! I represent Rita Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160x600, 240x400, 300x250, 336x280, 468x60, 728x90. What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month. Here you can see our banners: http://docs.ritaagency.com/lacoste/?view=1 Best regards, Martin Lefevre. site: www.ritaagency.com e-mail: mlefevre@ritaagency.com phone: + (0)9 78 62 64 18

Lacoste

The real logo

If you go to the website mentioned in the email, you will find banner-sized .gif images for Lacoste. In retrospect, they look pretty shabby compared to the sleek design of the official Lacoste website.

Not thinking clearly, I was still operating under the assumption that this might be legit, so I sent back a pricing offer. I expected some kind of negotiation, but there was none. (Some bloggers who have also been targeted by these people have reported that they sent back ridiculous offers, like $1,000, and they were also “approved.”)  Martin replied with this:

Hi! Thanks for reply to our proposal! We like your price.We would like to place 468x60 banner. To pass to the banner control system follow the link http://webmaster.ritaagency.com To enter use the following data: login: www.sleeandtopher.com password: XXXXXXX You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: https://www.sleeandtopher.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made. To get installation instruction for your site type pass to: http://docs.ritaagency.com/wp_install To activate your site you have to enter the code: XXX-XXX-XXX We pay through Wire, Check, Paypal. What way of payment is suitable for you? Best regards, Martin Lefevre. site: www.ritaagency.com e-mail: mlefevre@ritaagency.com phone: + (0)9 78 62 64 18

I had never heard of an advertising company needing publishers (in this case bloggers) to install a special plugin to serve ads. It seemed highly suspicious that I needed to install this ADV plugin, so I started doing some research (which I should have already been doing).

Who is Behind the ADV Plugin Banner Ad Scam?

It turns out that the same person or people have been using the same modus operandi under various pseudonyms for at least a couple months. I got an email from “Martin Lefevre” from the “Rita Agency,” but other bloggers have received identical emails from:

  • Killian Blanchard     —     Jino Agency
  • Rayan Meyer     —     Bevesto Agency
  • Martin Dumont    —     (agency name unknown)
  • Jules Barbier     —     Marka Agency
  • Oscar Meunier     —     Kervel Agency
  • Noa Morin     —     Kara Agency

Regardless of the name used, the scammer sends out the same emails, pitching an ad deal for Lacoste and then requesting the blogger to install the ADV plugin. The scammers have a form website that they copy for each domain name, corresponding to each spurious company. The websites look like this:

Rita Agency

What’s in it for the Scammer?

It’s unclear at this time what the end goal is for Martin Lefevre (or whatever her name is). If the scammer(s) are able to phish a blogger’s payment account details they might try to do something malicious with that information. Another possibility is some sort of exploit with the ADV plugin that they are using.

I’m not a PHP expert by any means and would not have been able to see exploits in the code even if there were any, but other bloggers reporting on this scam have shared that there doesn’t appear to be anything in the code as it is. Perhaps this was foolish on my part, but I ran the plugin on a sand-boxed WordPress site, and it seemed to do what the scammers said it would.

Of course, this is a huge security issue. Installing this third-party plugin opens a door to the scammers to potentially access the innards of your blog and do all kinds of nasty things with it.

Though social engineering and hackery are both possibilities, they are merely speculations. It is yet to be discovered for sure what these scammers are after.

Who’s at Risk?

Because their strategy requires the use of a third-party WordPress plugin, only bloggers who run a self-hosted WordPress blog are susceptible to this scam. Though if the exploit is through the plugin itself, it’s possible that the same kind of attack could be recreated for other content management systems like Joomla and Drupal.

I suspect WordPress has been targeted because of its popularity.

Of all the open source content management systems (CMS) available to bloggers, WordPress is by far the most popular. Famous WordPress developer Yoast recently released this infographic on WordPress usage, showing that as of March 2012 WordPress is used on 72.4 million sites worldwide. Compare this to Joomla’s usage on 1.6 million and Drupal usage on a mere 684,055 sites, and it becomes clear why the WordPress community is such a large target.

Do You Know Martin Lefevre?

Have you had any interaction with these scammers or other banner ad scams? Let us know your story in the comments below.

Update: My Site Was “Rejected”

A few days after Martin told me to install the plugin, I got this final email from him:

Hi! Unfortunately, the advertiser rejected your site. He has already gained the required number of advertising platforms for this season. Sorry for trouble you. You can remove plug-in. As soon as our client resumes an advertising campaign we will contact you. Thank you and hope to cooperate with you in the future! Best regards, Martin Lefevre. site: www.ritaagency.com e-mail: mlefevre@ritaagency.com phone: + (0)9 78 62 64 18

Another Update (1/26/2012):

As if any confirmation was needed, today I received an official word from LaCoste. After I was contacted by Martin Lefevre, I contacted LaCoste through the contact form on their website. Here’s what I wrote:

Dear Lacoste, I am a blogger and recently received an email from a “Martin Lefevre,” supposedly from an advertising company name “Rita Agency.” Lefevre offerd me an advertising deal displaying banner ads for Lacoste, however the situation seems illegitimate. I would like to know if you have any knowledge of Martin Lefevre or this Rita Agency. Please let me know if this is a true representative of your company. Thank you.

Nearly a month later, I finally got a response from a LaCoste representative:

Sorry for the late feedback regarding your email mid-December.

We had to investigate around the world with our digital agencies and legal team.

As you assumed, and you can read in the link below, this request was totally illegal and we thank you for letting us know.

So, there you have it.