Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 19 November 2013

Alert: Somoto, AdworkMedia, Topfiles.me

Here yet again, we have more misleading badness from Somoto, via Adworkmedia and courtesy of Topfiles.me (one of a number of pathetic "download sites" that actually aren't ....).


The URLs;

hxxp://topfiles.me/hVVXLBYLJM
hxxp://topfiles.me/offer_set.php?file=115113&o=2912&u=6765
hxxp://www.adworkmedia.com/go.php?camp=4338&pub=4071&sid=212.56.95.253_115113_6765_4
hxxps://www.adworkmedia.com/go.php?camp=4338&pub=4071&sid=212.56.95.253_115113_6765_4&refT=http%3A%2F%2Ftopfiles.me%2Foffer_set.php%3Ffile%3D115113%26o%3D1187%26u%3D6765
hxxps://www.adworkmedia.com/stream.php?stream=aHR0cDovL3d3dy5kb3dueHNvZnQuY29tL25scC9lL2Fkd29ya21lZGlhL2ZyZWVfbWVkaWFfcGxheWVyP3AxPTEmdXRtX3NvdXJjZT1hZHdvcmttZWRpYSZ1dG1fbWVkaXVtPWFmZmlsaWF0ZSZ1dG1fY2FtcGFpZ249MSZ1dG1fY29udGVudD1mcmVlX21lZGlhX3BsYXllciZwMz0xOTc5NzUzNzAtNDA3MQ==
hxxp://www.downxsoft.com/nlp/e/adworkmedia/free_media_player?p1=1&utm_source=adworkmedia&utm_medium=affiliate&utm_campaign=1&utm_content=free_media_player&p3=197957679-4071
hxxp://download.softiglu.com/nlp/h/adworkmedia/flvplayer/dl?p1=1&p3=197957679-4071&datetime=20131119_2211&utm_source=adworkmedia&utm_medium=affiliate&utm_campaign=1&translate=en&tracking_percent=23.13&software_name=Video+Player&download_country=UK×tamp=1384899108

Oh and as for the media player it claims you're getting, what you actually get is a machine filled with adware.

I was also pointed in the direction of the following, which is yet another company involved in the peddling of this rubbish - Finedream Invest Ltd;

hxxp://www.freefilesdownloader.com
hxxp://www.freefilesdownloader.com/fetch//MS0yMDAwMC0xMzg0ODk5Nzk0LTkwMTY2MmZlODdiNDMzMzYyYjllZTU0ZGZjMzAzNmFh
hxxp://www.freefilesdownloader.com/getoxy/Downloader__2000001.exe?st=zzFRuN8tfNvOlwpKRFO-VQ&e=1384986196&fileid=901662fe87b433362b9ee54dfc3036aa


Finedream Invest Ltd claim to be at;

11 Rosemont Road
Hampstead
London
NW3 6NG

Well sorry folks, but nope - they're not;

https://maps.google.co.uk/maps?q=11+Rosemont+Road+nw3+6ng&hl=en&ll=51.549348,-0.182758&spn=0.000462,0.001321&sll=51.549259,-0.182792&hnear=11+Rosemont+Rd,+London+NW3+6NG,+United+Kingdom&t=h&z=20&iwloc=A

That address belongs to "AMR Specialist Recruitment Consultants", meaning it's likely they're using a "virtual presence" in the UK.

Sunday 17 November 2013

hpHosts: Updated 17-11-2013

The hpHOSTS Hosts file has been updated. There is now a total of 343,717 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 17/11/2013 09:00
  2. Last Verified: 14/11/2013 00:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Wednesday 13 November 2013

ALERT: oxits.co.uk fraud playing on Cryptolocker

/edit 26-11-2013 22:14

I've now seen the confirmation showing they have permission to reproduce the article, so am retracting the fraud claim against oxits.co.uk. The only outstanding issue is their spamming me.


Woke up to find this in my inbox earlier.

CANNOT SEE THIS EMAIL? VIEW IT IN YOUR BROWSER <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=e281ad95d1&e=226e5ef18b>

logo <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=e5016474da&e=226e5ef18b>

OXITS telephone<http://oxits.co.uk/cryptolocker/img/tel.png>

<http://oxits.co.uk/cryptolocker/img/top-rounded-bg.png>

large image <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=1b9d967fad&e=226e5ef18b>

CryptoLocker - You’re infected – if you want to see your data again, pay!

Don’t ignore this email!

Despite the pictures we have used, this is not a joke or a scam. It will take 2 minutes of your precious life but it will save your business, thousands of pounds and many days of work, stress and frustration! No, we are not selling anything. We, at Oxford IT Support are firm believers that knowledge comes free.

<http://oxits.co.uk/cryptolocker/img/bottom-rounded-bg.png>

logo <http://oxits.us3.list-manage2.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=6771391daa&e=226e5ef18b>

What type of threat is this?

There’s a big threat wiling around on the Internet right now: A particularly nasty piece of ransomware called Cryptolocker. Many, many organisations and home users are being infected with this malware every minute, everyday and sadly there is no way to avoid it and no solution to date to repair the damage once you’ve been infected.

logo <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=919dfde175&e=226e5ef18b>

What is Cryptolocker then and why is this new virus so destructive?

Instead of us filling up pages on this e-mail, detailing the technicalities, we advise you perform a quick search on Google in regard to this virus called Cryptolocker. We have collected a few links for your convenience just in case, safe and checked by us in advance: Sophos <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=b687feada2&e=226e5ef18b> , Arstechnica <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=37aa4da003&e=226e5ef18b> . Even better, watch a short movie where experts are dissecting this virus on Youtube <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=23fe02601c&e=226e5ef18b> or even check it on Wikipedia <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=781bc15ab8&e=226e5ef18b> .

logo <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=0aa6d55034&e=226e5ef18b>

Got it? The final truth is that nobody will ever be able to retrieve their files.

NOTHING, NEVER AND NOBODY will ever be able to restore the files and photos once encrypted. Sad isn’t it? Time to close your business and go home. All of you. For good. Or time to explain your wife that the wedding pictures are all gone. Forever. Get married again? That is a possibility but for sure not with the same person.

logo <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=cbf91d44fc&e=226e5ef18b>

Then what’s to be done? Well…thanks God, there is a way to prevent it.

Oh, now that you are well aware of Cryptolocker, would you like to hear something about Operation Hangover? Hm…Google is your best friend. Time to do your homework! If anything, do not hesitate to email us back or even give us a call, we are always here to help. Remember, PREVENTION is paramount nowadays.

logo <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=01dbe6355f&e=226e5ef18b>

WWW.OXITS.CO.UK <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=ac8ddd66be&e=226e5ef18b> <http://oxits.co.uk/cryptolocker/img/vertical-line.png> CONTACT@OXITS.CO.UK

facebook <http://oxits.us3.list-manage1.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=40d98c6f00&e=226e5ef18b> twitter <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=44a6122790&e=226e5ef18b> google <http://oxits.us3.list-manage.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=62e9c25c8e&e=226e5ef18b> mail <http://oxits.us3.list-manage2.com/track/click?u=b08f1294d8ec1f780d8fa8b4d&id=a768c3b60d&e=226e5ef18b>

This is not a promotional e-mail, but an informative one. You have received this email thanks to your previous subscription to OXITS or one of its affiliates. If you no longer wish to receive informative emails CLICK HERE <http://oxits.us3.list-manage1.com/unsubscribe?u=b08f1294d8ec1f780d8fa8b4d&id=aec182f76c&e=226e5ef18b&c=f321a09f94>

Email Marketing Powered by MailChimp <http://www.mailchimp.com/monkey-rewards/?utm_source=freemium_newsletter&utm_medium=email&utm_campaign=monkey_rewards&aid=b08f1294d8ec1f780d8fa8b4d&afl=1>

COPYRIGHT © 2013 OXITS - OXFORD IT SUPPORT.


As you've no doubt noticed, I use plain text email, and they obviously don't allow for that, instead relying on suckering in those using HTML email (STOP IT ALREADY PEOPLE!!!). The HTML or original, is;



PDF here: http://temp.it-mate.co.uk/oxits.co.uk_spam.pdf

Email headers:
Return-Path: <bounce-mc.us3_23160935.221577-services=it-mate.co.uk@mail67.atl11.rsgsv.net>
Delivered-To: <[REMOVED]>
Received: from controller1.emailconfig.com ([109.68.33.144])
    by mailserver2.emailconfig.com (Dovecot) with LMTP id xd1rB0EHg1JIHwAAZ1oeBA
    for <[REMOVED]>; Wed, 13 Nov 2013 14:42:47 +0000
Received: from mailserver1.emailconfig.com ([109.68.33.146])
    by controller1.emailconfig.com (Dovecot) with LMTP id 4FG3MbV+g1JZewAAiShP7w
    ; Wed, 13 Nov 2013 14:42:47 +0000
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-9999 required=1.3
    tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001,
    MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
    RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
    URIBL_BLOCKED=0.001] autolearn=ham
Authentication-Results: mailserver1.emailconfig.com (amavisd-new);
    dkim=pass (1024-bit key) header.d=mail67.atl11.rsgsv.net;
    domainkeys=pass (1024-bit key)
    header.sender=newsletter=oxits.co.uk@mail67.atl11.rsgsv.net
    header.d=mail67.atl11.rsgsv.net
Received: from mail67.atl11.rsgsv.net (mail67.atl11.rsgsv.net [205.201.133.67])
    by mailserver1.emailconfig.com (Postfix) with ESMTP id 805FB3409E4
    for <[REMOVED]>; Wed, 13 Nov 2013 14:42:45 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail67.atl11.rsgsv.net;
h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=newsletter=3Doxits.co.uk@mail67.atl11.rsgsv.net;
bh=46xG+FtiNLCYuFOXZyzPqFxJ5tY=;
b=0UOGwoeoekWSU0IOfSGWlm88vv59z79BsSqwOn3oJsSZoSwGFXzYA3JHoDCvTFt0Wda3r7qj08WS
    BW0XFvtltmh3hJTTqWc1ABWvoIRhX2TnBWSiYyfoBCejeXmH2+nHez7+/J0+Z2D9pfFWGeUIFWJa
    6l8rrhlzU1q0sXQAfOk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail67.atl11.rsgsv.net;
b=QKdmkgKzw/zNy+FujeqEoCw/hmphbpQYNCq7w23DAWaKspO+TjVt54WX20vUWWnu0glvKWf6ibG8
    UdfjiMnlq0ZFhfNOqrlSvIj/R2CIEYWObRSHVIBwLVXo1FPUn5WNN4bOUFjosKCTfoqKqYnAjgN3
    tO1AGQJGTlBIfZ5eFHU=;
Received: from (127.0.0.1) by mail67.atl11.rsgsv.net id hge7ua1lgi0a for <[REMOVED]>; Wed, 13 Nov 2013 14:42:43 +0000 (envelope-from <bounce-mc.us3_23160935.221577-services=it-mate.co.uk@mail67.atl11.rsgsv.net>)
Subject: =?utf-8?Q?We=20have=20your=20data?=
From: =?utf-8?Q?Oxford=20IT=20Support?= <newsletter@oxits.co.uk>
Reply-To: =?utf-8?Q?Oxford=20IT=20Support?= <newsletter@oxits.co.uk>
To: =?utf-8?Q?Dear=2C=20Sir=2FMadame?= <[REMOVED]>
Date: Wed, 13 Nov 2013 14:42:43 +0000
Message-ID: <b08f1294d8ec1f780d8fa8b4d226e5ef18b.20131113144233@mail67.atl11.rsgsv.net>
X-Mailer: MailChimp Mailer - **CIDf321a09f94226e5ef18b**
X-Campaign: mailchimpb08f1294d8ec1f780d8fa8b4d.f321a09f94
X-campaignid: mailchimpb08f1294d8ec1f780d8fa8b4d.f321a09f94
X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=b08f1294d8ec1f780d8fa8b4d&id=f321a09f94&e=226e5ef18b
X-MC-User: b08f1294d8ec1f780d8fa8b4d
x-accounttype: ff
List-Unsubscribe: <mailto:unsubscribe-b08f1294d8ec1f780d8fa8b4d-f321a09f94-226e5ef18b@mailin1.us2.mcsv.net?subject=unsubscribe>, <http://oxits.us3.list-manage1.com/unsubscribe?u=b08f1294d8ec1f780d8fa8b4d&id=aec182f76c&e=226e5ef18b&c=f321a09f94>
Sender: "Oxford IT Support" <newsletter=oxits.co.uk@mail67.atl11.rsgsv.net>
x-mcda: FALSE
Content-Type: multipart/alternative; boundary="_----------=_MCPart_960584300"
MIME-Version: 1.0



So oxits.co.uk, who's being a naughty boy then?

Monday 11 November 2013

Info: BBB misrepesentation (fraud)

Not normally a fan of media sites, but this one I thought deserved attention. Not least because the sheer volume of misleading or otherwise malicious sites, that have had "good" BBB ratings over the years, meant we already knew they were meaningless;

The Better Business Bureau, one of the country's best known consumer watchdog groups, is being accused by business owners of running a "pay for play" scheme in which A plus ratings are awarded to those who pay membership fees, and F ratings used to punish those who don't.

To prove the point, a group of Los Angeles business owners paid $425 to the Better Business Bureau and were able to obtain an A minus grade for a non-existent company called Hamas, named after the Middle Eastern terror group.

"Right now, this rating system is really unworthy of consumer trust or confidence," said Connecticut attorney general Richard Blumenthal in an interview to be broadcast as part of an ABC News investigation airing tonight on 20/20.

In an official demand letter sent to the national headquarters of the Better Business Bureau Thursday, Blumenthal called on the BBB to stop using its grading system, which he said was "potentially harmful and misleading" to consumers.


Read more
http://abcnews.go.com/Blotter/business-bureau-best-ratings-money-buy/story?id=12123843

Saturday 9 November 2013

Info: Server issues

Just an FYI folks, the server that houses mysteryfcm.co.uk, the Abelhadigital forums amongst others, suffered a hard drive failure earlier.

I'm working as quickly as I can to get a new drive put in and the system restored, but obviously, this is going to take several hours.

Sorry for the inconvenience folks.

Monday 4 November 2013

hpObserver v0.6.12

Modified: Tools > Search menu
Modified: Tools > Check URL menu (now called "Scan URL with")

Added: Save as CSV
Added: Save as text (No line breaks) (see Release notes)
Added: Correct OpenDNS hit-nxdomain IPs (see Release notes)
Added: Windows 7/8/8.1 OS detection
Added: Send IP/Hostname to BFK
Added: Send IP/Hostname to Bing
Added: Send IP/Hostname to BGP.HE.NET
Added: Send IP/Hostname to CleanMX
Added: Send IP/Hostname to Exalead
Added: Send IP/Hostname to Google
Added: Send IP/Hostname to hpHosts
Added: Send IP/Hostname to MDL
Added: Send IP/Hostname to RobTex
Added: Send IP/Hostname to SiteAdvisor
Added: Send IP/Hostname to SafeWeb
Added: Send IP/Hostname to TrustedSource
Added: Send IP/Hostname to Web Of Trust
Added: Send IP/Hostname to URLQuery
Added: Send IP/Hostname to URLVoid
Added: Send IP/Hostname to ZeusTracker
Added: Search ASN using CIDRReport
Added: Search ASN using CleanMXASN

Notes:

"Save as CSV" will save the results as "FIELD1";"FIELD2";"FIELD3"; etc etc

"Save as Text (No line breaks", will save as the usual plain text, but will keep the IPs (where a domain resolves to multiple IPs) on the same line, instead of popping each IP on a new line.

"Correct OpenDNS hit-nxdomain IPs" will correct results where a domain that does not resolve, is showing as resolving to the OpenDNS hit-nxdomain.* and hit-servfail.* IPs (you can disable this option if you've got an account with OpenDNS, but it also requires you disable all of their options/protection/filters, this addition to the program prevents your having to do that when checking a domain with hpObserver)

Download
http://support.it-mate.co.uk/?mode=Products&act=DL&p=hpobserver