WordPress Hijacking through Banner Scam

As you maybe aware that WordPress is a open source software for weblogs. The Hackers have come up with a new strategy to hijack your wordpress by offering you Banner Advertisement.

Recently, Archer Softech has received a similar email for one of it’s other legal site, as follows:

Hi,

We are looking for new advertisement platforms and we are interested
in your site consumerlaw.in.
Is it possible to place banner on your site on a fee basis?

Best regards,
Lilian Marchand

After sending the proposal, the following further replies were received:

Hello,
Thanks for reply to our proposal!

I represent Lemma Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.

What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.

Best regards,
Lilian Marchand.
site: www.lemmaagency.com
e-mail: lmarchand@lemmaagency.com
phone: + (0)9 78 62 24 83

Hi!
Thanks for reply to our proposal!

We like your price.
To pass to the banner control system follow the link http://webmaster.lemmaagency.com
To enter use the following data:

login: c*******law.in
password: KFEZ0966

You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: http://c*******law.in/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made.

To get installation instruction for your site type pass to: http://docs.lemmaagency.com/wp_install
To activate your site you have to enter the code: GH2-NS5-4K6

What way of payment is suitable for you?

Best regards,
Lilian Marchand.
site: www.lemmaagency.com
e-mail: lmarchand@lemmaagency.com
phone: + (0)9 78 62 24 83

This is where the suspicion creeps in, because an advertiser will never offer you any code, but a simple graphical banner. Further, the hacker represents himself from Paris but his IP 69.172.131.212 points to city of Wilmington from Delaware (USA) using Pilosoft ISP, as follows:

 

Further, in case we assume that hacker is using a proxy IP address, then the other information tracked, i.e. Language of recipient’s PC: ru-RU (Russian/Russia)… points to the fact that these hackers are Russians and even located in Russia too… from where numerous hacking attempts originate.

This another website provides more details as these kind of emails maybe generated in different names…. but their website looks the same. Some of the names used are: Jino Agency, Bevesto Agency, Marka Agency Kervel Agency, Kara Agency, Rita Aganecy, Lemma Agency and so on…

So next time you receive any such offer… just ignore such an offer, as in all the emails similar kind of language is use !

One Response to “WordPress Hijacking through Banner Scam”

1. Adam says:

   January 12, 2012 at 8:19 pm

   I was able to remove the Plugin and Widget fairly easily. Will need to check if it harmed my website though.