Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 13 November 2013

ALERT: oxits.co.uk fraud playing on Cryptolocker

/edit 26-11-2013 22:14

I've now seen the confirmation showing they have permission to reproduce the article, so am retracting the fraud claim against oxits.co.uk. The only outstanding issue is their spamming me.


Woke up to find this in my inbox earlier.

CANNOT SEE THIS EMAIL? VIEW IT IN YOUR BROWSER <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=e281ad95d1&e=226e5ef18b>

logo <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=e5016474da&e=226e5ef18b>

OXITS telephone<http://oxits.co.uk/cryptolocker/img/tel.png>

<http://oxits.co.uk/cryptolocker/img/top-rounded-bg.png>

large image <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=1b9d967fad&e=226e5ef18b>

CryptoLocker - You’re infected – if you want to see your data again, pay!

Don’t ignore this email!

Despite the pictures we have used, this is not a joke or a scam. It will take 2 minutes of your precious life but it will save your business, thousands of pounds and many days of work, stress and frustration! No, we are not selling anything. We, at Oxford IT Support are firm believers that knowledge comes free.

<http://oxits.co.uk/cryptolocker/img/bottom-rounded-bg.png>

logo <http://oxits.us3.list-manage2.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=6771391daa&e=226e5ef18b>

What type of threat is this?

There’s a big threat wiling around on the Internet right now: A particularly nasty piece of ransomware called Cryptolocker. Many, many organisations and home users are being infected with this malware every minute, everyday and sadly there is no way to avoid it and no solution to date to repair the damage once you’ve been infected.

logo <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=919dfde175&e=226e5ef18b>

What is Cryptolocker then and why is this new virus so destructive?

Instead of us filling up pages on this e-mail, detailing the technicalities, we advise you perform a quick search on Google in regard to this virus called Cryptolocker. We have collected a few links for your convenience just in case, safe and checked by us in advance: Sophos <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=b687feada2&e=226e5ef18b> , Arstechnica <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=37aa4da003&e=226e5ef18b> . Even better, watch a short movie where experts are dissecting this virus on Youtube <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=23fe02601c&e=226e5ef18b> or even check it on Wikipedia <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=781bc15ab8&e=226e5ef18b> .

logo <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=0aa6d55034&e=226e5ef18b>

Got it? The final truth is that nobody will ever be able to retrieve their files.

NOTHING, NEVER AND NOBODY will ever be able to restore the files and photos once encrypted. Sad isn’t it? Time to close your business and go home. All of you. For good. Or time to explain your wife that the wedding pictures are all gone. Forever. Get married again? That is a possibility but for sure not with the same person.

logo <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=cbf91d44fc&e=226e5ef18b>

Then what’s to be done? Well…thanks God, there is a way to prevent it.

Oh, now that you are well aware of Cryptolocker, would you like to hear something about Operation Hangover? Hm…Google is your best friend. Time to do your homework! If anything, do not hesitate to email us back or even give us a call, we are always here to help. Remember, PREVENTION is paramount nowadays.

logo <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=01dbe6355f&e=226e5ef18b>

WWW.OXITS.CO.UK <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=ac8ddd66be&e=226e5ef18b> <http://oxits.co.uk/cryptolocker/img/vertical-line.png> CONTACT@OXITS.CO.UK

facebook <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=40d98c6f00&e=226e5ef18b> twitter <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=44a6122790&e=226e5ef18b> google <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=62e9c25c8e&e=226e5ef18b> mail <http://oxits.us3.list-manage2.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=a768c3b60d&e=226e5ef18b>

This is not a promotional e-mail, but an informative one. You have received this email thanks to your previous subscription to OXITS or one of its affiliates. If you no longer wish to receive informative emails CLICK HERE <http://oxits.us3.list-manage1.com/unsubscribe?u=b08f1294d8ec1f780d8fa8b4d&id=aec182f76c&e=226e5ef18b&c=f321a09f94>

Email Marketing Powered by MailChimp <http://www.mailchimp.com/monkey-rewards/?utm_source=freemium_newsletter&utm_medium=email&utm_campaign=monkey_rewards&aid=b08f1294d8ec1f780d8fa8b4d&afl=1>

COPYRIGHT © 2013 OXITS - OXFORD IT SUPPORT.


As you've no doubt noticed, I use plain text email, and they obviously don't allow for that, instead relying on suckering in those using HTML email (STOP IT ALREADY PEOPLE!!!). The HTML or original, is;



PDF here: http://temp.it-mate.co.uk/oxits.co.uk_spam.pdf

Email headers:
Return-Path: <bounce-mc.us3_23160935.221577-services=it-mate.co.uk@mail67.atl11.rsgsv.net>
Delivered-To: <[REMOVED]>
Received: from controller1.emailconfig.com ([109.68.33.144])
    by mailserver2.emailconfig.com (Dovecot) with LMTP id xd1rB0EHg1JIHwAAZ1oeBA
    for <[REMOVED]>; Wed, 13 Nov 2013 14:42:47 +0000
Received: from mailserver1.emailconfig.com ([109.68.33.146])
    by controller1.emailconfig.com (Dovecot) with LMTP id 4FG3MbV+g1JZewAAiShP7w
    ; Wed, 13 Nov 2013 14:42:47 +0000
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-9999 required=1.3
    tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001,
    MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
    RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
    URIBL_BLOCKED=0.001] autolearn=ham
Authentication-Results: mailserver1.emailconfig.com (amavisd-new);
    dkim=pass (1024-bit key) header.d=mail67.atl11.rsgsv.net;
    domainkeys=pass (1024-bit key)
    header.sender=newsletter=oxits.co.uk@mail67.atl11.rsgsv.net
    header.d=mail67.atl11.rsgsv.net
Received: from mail67.atl11.rsgsv.net (mail67.atl11.rsgsv.net [205.201.133.67])
    by mailserver1.emailconfig.com (Postfix) with ESMTP id 805FB3409E4
    for <[REMOVED]>; Wed, 13 Nov 2013 14:42:45 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail67.atl11.rsgsv.net;
h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=newsletter=3Doxits.co.uk@mail67.atl11.rsgsv.net;
bh=46xG+FtiNLCYuFOXZyzPqFxJ5tY=;
b=0UOGwoeoekWSU0IOfSGWlm88vv59z79BsSqwOn3oJsSZoSwGFXzYA3JHoDCvTFt0Wda3r7qj08WS
    BW0XFvtltmh3hJTTqWc1ABWvoIRhX2TnBWSiYyfoBCejeXmH2+nHez7+/J0+Z2D9pfFWGeUIFWJa
    6l8rrhlzU1q0sXQAfOk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail67.atl11.rsgsv.net;
b=QKdmkgKzw/zNy+FujeqEoCw/hmphbpQYNCq7w23DAWaKspO+TjVt54WX20vUWWnu0glvKWf6ibG8
    UdfjiMnlq0ZFhfNOqrlSvIj/R2CIEYWObRSHVIBwLVXo1FPUn5WNN4bOUFjosKCTfoqKqYnAjgN3
    tO1AGQJGTlBIfZ5eFHU=;
Received: from (127.0.0.1) by mail67.atl11.rsgsv.net id hge7ua1lgi0a for <[REMOVED]>; Wed, 13 Nov 2013 14:42:43 +0000 (envelope-from <bounce-mc.us3_23160935.221577-services=it-mate.co.uk@mail67.atl11.rsgsv.net>)
Subject: =?utf-8?Q?We=20have=20your=20data?=
From: =?utf-8?Q?Oxford=20IT=20Support?= <newsletter@oxits.co.uk>
Reply-To: =?utf-8?Q?Oxford=20IT=20Support?= <newsletter@oxits.co.uk>
To: =?utf-8?Q?Dear=2C=20Sir=2FMadame?= <[REMOVED]>
Date: Wed, 13 Nov 2013 14:42:43 +0000
Message-ID: <b08f1294d8ec1f780d8fa8b4d226e5ef18b.20131113144233@mail67.atl11.rsgsv.net>
X-Mailer: MailChimp Mailer - **CIDf321a09f94226e5ef18b**
X-Campaign: mailchimpb08f1294d8ec1f780d8fa8b4d.f321a09f94
X-campaignid: mailchimpb08f1294d8ec1f780d8fa8b4d.f321a09f94
X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=b08f1294d8ec1f780d8fa8b4d&id=f321a09f94&e=226e5ef18b
X-MC-User: b08f1294d8ec1f780d8fa8b4d
x-accounttype: ff
List-Unsubscribe: <mailto:unsubscribe-b08f1294d8ec1f780d8fa8b4d-f321a09f94-226e5ef18b@mailin1.us2.mcsv.net?subject=unsubscribe>, <http://oxits.us3.list-manage1.com/unsubscribe?u=b08f1294d8ec1f780d8fa8b4d&id=aec182f76c&e=226e5ef18b&c=f321a09f94>
Sender: "Oxford IT Support" <newsletter=oxits.co.uk@mail67.atl11.rsgsv.net>
x-mcda: FALSE
Content-Type: multipart/alternative; boundary="_----------=_MCPart_960584300"
MIME-Version: 1.0



So oxits.co.uk, who's being a naughty boy then?

3 comments:

Anonymous said...

I seriously cannot see where the so called fraud is? It was a simple informative email no malicious links or scripts. If you would have spent a minute to read the email you would have understood that actually we are trying to help. Or have you simply felt like showing off and have a morning go at somebody, anybody just for the sake of boosting your ego?
No comment.

MysteryFCM said...

1. It was SPAM
2. You sent it to a SPAM TRAP
3. You STOLE the article from Ars Tecnica ....

http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/

Anonymous said...

We have sent it to contacts selected from my personal address book. People that I have exchanged data and emails over years and years therefore the spam trap does not stand.
Again, I reiterate. The intention was to educate not to spam.
Secondly, we have stolen what? Free information widely available all over the internet?? It was a link to Arstechnica also there, I recommend you read that email eventually then make your comments.
I have the feeling you must be joking now.