Peter Bargh

words pictures sounds
December 14th, 2011

Beware! Banner advert scam on WordPress with adv.php

If you receive an email like this what would you do?

I am sorry I have to write you to e-mail from whois information of the domain. But I could not find contact e-mail or feedback form on your site.

We are looking for new advertisement platforms and we are interested in your site.
Is it possible to place banner on your site on a fee basis?

Best regards,
Lilian Marchand

I replied and asked what they had in mind. Here’s their reply back

I represent Lemma Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

Best regards,
Lilian Marchand.

phone: + (0)9 78 62 24 83

I thought up a price and fired it off in another mail. This was accepted back in similar speed.
I was then given a link to some code to download that appeared as a non harmful zip file that opened as adv.php with instructions on how to make the site ready for banners and payment.

The adv.php code was to be added into the wordpress blog as a plug-in. Alarm bells rang. Why would an ad agency want to add a plug-in? Normally they just provide banners as graphics with tracking links. Something smelled fishy.

Could the code be harmful? I had a quick read through and it seemed ok, but php is not my strong point. I asked my IT colleague to check it over.

A bit of research later and he came across many other blog owners who’d had similar emails, from different ad agencies. All worded exactly the same and all warning of this new scam.

These buggers are becoming clever…no longer content with sending you viruses through email or server hacks, they’re now getting web owners to do the hacking for them.

So if you run a wordpress site and get a email with similar characteristics. Ignore…or come up with some form of wind up and string them along.

More in-depth details of the people who discovered it was a hack can be found here: @peaz and here SLee and Topher


If you read this and a similar thing has happened to you feel free to add a comment with your experiences.