WordPress – adv.zip is a SCAM – bevestoagency.com aka markaagency.biz

Looks like this SCAM has been published from at least the following domains:
bevestoagency.com (the potential domain which almost got me)
kervelagency .com (Martin Dumont)
gelbertagency.com (Suspicious adv.zip WordPress Plugin)
markaagency.biz (Markaagency.biz/adv.zip plugin is a wordpress scam)

After some research it seems quite possible this is a scam, but what I cant figure is what exactly is the scam, is it a social engineering attack (where they use might site to post spam), is the plan to use my hosting account for a zombie attack on other systems on the net, or is it just a method to attempt to gain access to my bank info (when they ask for payment method info).

What I do know is that this same email marketing approach seems all to well known by many skeptical webmasters around the net. Each having a similar story about an advertising agency contacting them to run an ad campaign for Lacrosse.

This version almost got me: adv.zip (FOR RESEARCH ONLY. DO NOT INSTALL AND USE THIS PLUGIN!)
Version 2.6.1 obtained from source at http://webmaster.bevestoagency.com/ on Dec 1, 2011
SCAM – adv.zip WordPress Plugin – plugin source

Version 2.6.2 posted Aug 11, 2011
Suspicious adv.zip WordPress Plugin – plugin source

When Diffed I found the following results:

The Differences

  Plugin Name: ADV
  Description: ADV Plugin
-  Version: 2.6.2
+  Version: 2.6.1

-class AdvWidget37 extends WP_Widget {
+class AdvWidget extends WP_Widget {

-    function AdvWidget37() {
+    function AdvWidget() {
-        parent::WP_Widget(false, $name = 'Adv Widget');
+        parent::WP_Widget(false, $name = 'AdvWidget');

    /** @see WP_Widget::widget */
    function widget($args, $instance) {
        if (get_option('adv_place') == 'widget')

    /** @see WP_Widget::update */
    function update($new_instance, $old_instance) {
        $instance = $old_instance;
        $instance['title'] = strip_tags($new_instance['title']);
        return $instance;

    function form($instance) {


-add_action('widgets_init', create_function('', 'return register_widget("AdvWidget37");'));
+add_action('widgets_init', create_function('', 'return register_widget("AdvWidget");'));
add_action('admin_menu', 'advPluginMenu');

register_activation_hook(__FILE__, 'advActivation');

-define('ADV_SERVICE_DOMAIN', 'gelbertagency.com');
+define('ADV_SERVICE_DOMAIN', 'bevestoagency.com');

from that and the info from atpeaz.com. I looks like the different versions are being used by different company names.

More Info for your convincing

This guy has spotted many suspicious parts of the code and explains them well.
WordPress blogs targeted scam

Leave a Reply

Your email address will not be published. Required fields are marked *