Beware! Banner advert scam on WordPress with adv.php

If you receive an email like this what would you do?

I am sorry I have to write you to e-mail from whois information of the domain. But I could not find contact e-mail or feedback form on your site.

We are looking for new advertisement platforms and we are interested in your site.
Is it possible to place banner on your site on a fee basis?

Best regards,
Lilian Marchand

I replied and asked what they had in mind. Here’s their reply back

I represent Lemma Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

Best regards,
Lilian Marchand.

e-mail: [email protected]
phone: + (0)9 78 62 24 83

I thought up a price and fired it off in another mail. This was accepted back in similar speed.
I was then given a link to some code to download that appeared as a non harmful zip file that opened as adv.php with instructions on how to make the site ready for banners and payment.

The adv.php code was to be added into the wordpress blog as a plug-in. Alarm bells rang. Why would an ad agency want to add a plug-in? Normally they just provide banners as graphics with tracking links. Something smelled fishy.

Could the code be harmful? I had a quick read through and it seemed ok, but php is not my strong point. I asked my IT colleague to check it over.

A bit of research later and he came across many other blog owners who’d had similar emails, from different ad agencies. All worded exactly the same and all warning of this new scam.

These buggers are becoming clever…no longer content with sending you viruses through email or server hacks, they’re now getting web owners to do the hacking for them.

So if you run a wordpress site and get a email with similar characteristics. Ignore…or come up with some form of wind up and string them along.

More in-depth details of the people who discovered it was a hack can be found here: @peaz and here SLee and Topher


If you read this and a similar thing has happened to you feel free to add a comment with your experiences.

7 thoughts on “Beware! Banner advert scam on WordPress with adv.php

  1. Thanks for linking to my report on this scam. I think making the blogging community aware of what’s going on will be the best way to keep the malcontents at bay.

    Have you discovered any evidence as to what these jokers intend to do with their ADV plugin?

  2. No idea but if it’s malicious I hope they keep getting found out before they cause too much damage. It does all look very realistic.

  3. Thanks for the warning. I got a similar message on my blog this morning, also from Lilian Marchand at Thankfully I did my research before I responded.

    One question: has anyone checked to see if the website itself is dangerous? That’s the first place I went in my research.

  4. A followup: I installed wget and pulled the homepage and linked subpages for I might have missed a subpage, but most looked clean. I did find one, “actu-24.html”, that had a large block of embedded instructions for Internet Explorer and Microsoft Office. I didn’t try to decipher the block, and it’s possible it’s leftover from editing files with Microsoft Office, but I’m glad I tend to not use Internet Explorer.

  5. haaa i just got one from lilian marchand too (obviously was led here by a google search, the first thing that sounded fishy to me was that nobody would ever want to purchase ad space on my blog). i’m going to have some fun with this one.

  6. What is the supposed end-game of this scam?

    I got one from which appears to be a legitimate French ad company website. I was pretty sure it was a scam and I’m glad I wound up here, the sales pitch was the same.

    They’ve done a lot of work to create the phony websites, but why?

    1. The web site they use has been used on all the different companies, so it’s not too much trouble to knock up a template and then change the name of the “agency” . Worth it if their scam works.

Leave a Reply

Your email address will not be published. Required fields are marked *