Saturday, November 12, 2011
Beware: Fake ad agency contacting self-hosted WordPress bloggers
She accepted the price right away, then said she wanted me to install a plug-in on my site that would display the ads. She said, after I asked, that the company advertising was Lacoste.
Long story short, this is a scam. Someone has been sending out the same emails under different "agency" names. The agencies are fakes. Their websites are duplicate copies of another website, with just the agency name changed. The original website, which all the others were copied from, may or may not be legit itself. The domain names for the duplicate websites were registered only days before email started being sent out under their names.
(more details after the jump)
From: "Noa Morin" 〈firstname.lastname@example.org〉
Sent: Tuesday, October 25, 2011
We are looking for new advertisement platforms and we are interested in your site www.-------.com.
Is it possible to place banner on your site on a fee basis?
At this point, I thought it was probably a scam. Despite a recent spike in traffic, which I expected to be short-lived, my site had been semi-dormant for a long time, and its usual traffic patterns wouldn't justify someone contacting me out of the blue to ask about advertising. The karaagency.com site was nicely designed, though, with a look that seemed creative enough to be a real site for an advertising agency. So I wasn't sure.
Figuring I had nothing to lose, as it probably wasn't a legit offer -- but responding just in case it was -- I replied, quoting a high weekly price. I got this response:
Payments will be processed automatically every month, that's why we ask the price per month. There is no option in our billing system to make 1 week prepaid. Please offer your price per month
phone: + (0)9 78 62 31 00
This seemed odd and didn't make much sense. But still playing along and curious to see what they were up to, I responded with a monthly price which was much higher than the going rate (which I had just researched) for advertising on a site with traffic like mine. I figured in the unlikely chance that they were legit, they could make a lower counteroffer. I got this response:
Thanks for reply to our proposal!
We like your price.
To pass to the banner control system follow the link http://webmaster.karaagency.com
To enter use the following data:
You should install and activate the plugin in order to display advertisement. Before making payment, advertiser must approve location of the banner. The banner will be shown on your site when you add special code to your web- address (for example: http://www.-----------.com/?adv_test=1). It means, that visitors will see the banner only if it is approved and payment made.
To get installation instruction for your site type pass to: http://docs.karaagency.com/wp_install
To activate your site you have to enter the code: ----------
What way of payment is suitable for you?
I wrote back asking them what advertisements they would be showing, why she thought my blog's audience would be a good fit for their advertisers, and whether I could veto objectionable ads. I thought if they were scammers, they just wouldn't answer, but I did get this response:
I represent Kara Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.)
Plugin installation doesn't mean that banner will appear on your site, it won't until payment is made. It is needed to let the advertiser check your site and decide if it fits his requirements.
If advertiser like your site, you receive payment and only after it, the banner will appear.
No, we don't ask you to change your URL.This test link is given you to see how the banner would look and where it would be placed.( but in fact it is not on your site, you can see in only when you add "?adv_test=1")
This was the first I had heard that the ad had to be approved by the advertiser -- I thought the agency had already accepted my offer. Also, my blog's audience is pretty geeky, and I couldn't imagine why someone representing a high-end designer clothing and perfume company would choose a geeky blog to run their ads. No offense to geeks, but they (we) are not the first group that usually comes to mind when someone thinks about who is most likely to spend a lot of money on cutting-edge fashion. My blog readers, actually, almost never click on anything, not even on things I expect they would like. Ads for expensive perfume would not be a big hit.
I asked a friend who knows WordPress PHP coding to look at the plug-in (which I had downloaded, but NOT installed). She said it looked okay, that it was just pulling ads off the agency's server.
Still, my gut was saying "Don't do it."
A web search for "Noa Morin" and "Kara Agency" showed a lot of identical comments left on blogs saying she wanted to run banner ads on their sites and that she was leaving a message in the comments because she couldn't find their contact information. The comments all ended, almost whimsically, with the line "P.S. Please delete this comment." Nothing else was showing up in my searches.
At that point, I decided to just drop it. I was afraid there was a chance I was letting an opportunity slip away, which I would hate to pass up because I had been hoping to make some money with that particular blog for a long time. The plug-in itself was apparently clean, and some people were urging me to go for it. I had some doubts about my own reactions, wondering if I was being overly suspicious or even paranoid. In the end, though, I decided to listen to my gut, and I figured that any money I might get (if the agency turned out to be legit) wouldn't be worth the stress of worrying about what the plug-in might be doing to my blog, which was a long-term labor of love.
About a week later, still curious, I did another Google search. This time, someone had left comments on the blogs where Noa Morin had left comments with a link to his own site describing his experiences with the Noa Morin emails. The link was a bit.ly link, which in itself raised questions, but after reading the page, I was convinced it was legit.
This blogger did two things that were very clever, which I wish I had thought of doing myself. First, he looked at the karaagency's whois page. The registration was privacy protected, which is very odd, I think, for a company. Individuals, yes, but companies, no. Also, the domain name had only been registered 10 days before the first email was sent. Second, the blogger called Lacoste, and they said they had never heard of the Kara Agency.
Some more web searching showed that other people had received the same emails sent under different names. Then, instead of searching on "Noa Morin" and "Kara Agency," I searched on "scam banner Lacoste" (without the quotation marks) which brought up a lot of new stuff, including Devious Scam Aimed at Bloggers, which gives a very good description of the whole experience, and Keep Safe on the Net, which has a lot of comments from people who have received the emails sent under various names.
It is 100% certain that this is a scam because the email senders change the name of the "agency" every few weeks, and the agency sites, under all the different names, are all clones of each other. No one though, that I am aware of, has yet figured out exactly how the scam works. The consensus view is that the code in the plug-in is benign, and that the harm would probably come from the pictures or links in the ads that people would click on. Another possibility, this one rather diabolically clever, is that the scammers would introduce malicious code via plug-in updates. Most people routinely accept all updates without even thinking about it, much less checking the update code. The scammers could slip anything in that way. My guess is that they are trying to distribute spyware or other kinds of malicious code.
What I learned from this experience:
1. Trust my gut.
2. "If it sounds too good to be true, it probably is." That old saying still applies.
3. I'm not paranoid, I'm prudent. (This time, anyway.)
4. Never install a WordPress plug-in that doesn't come from the official WordPress site.
5. Don't try to jump the gun. My sites don't have enough traffic for pay-per-view advertising from large companies. When and if they ever do, I can work through more normal channels.
6. When "Noa" first contacted me, I became curious about how much I could reasonably charge direct advertisers. I found this article, which was helpful, and now I know: How much should I charge for my advertising space? (Problogger)