Sponsored by..

Monday, 1 October 2012

Intuit Shipment spam / art-london.net

This terminally confused Intuit / USPS / Amazon-style spam leads to malware at art-london.net:

Date:      Mon, 1 Oct 2012 21:31:57 +0430
From:      "Intuit Customer Service" [battingiy760@clickz.com]
To:      [redacted]
Subject:      Intuit Shipment Confirmation


Dear [redacted],

Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.

Thank you for your interest.
    Order #: ID859560
Order Date: Sep 25, 2012

Item(s) In Your Order

Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217

Quantity     Item
1     Intuit Card Reader Device - Gray

Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.

Shipment Information:

We sent your item(s) to the next address:

065 S Paolo Ave, App. 5A
S Maria, FL

Email: [redacted]   
    Questions about your order? Please visit Customer Service.

Return Policy and Instructions

Privacy | Legal Disclaimer | Contact Us | About

You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications.

Please note: This email was sent from an automative notification system that not configured to accept incoming mail. Please don't reply to this message.

�2008-2012 Intuit Llc. or its affiliates. All rights reserved.
The malicious payload is at [donotclick]art-london.net/detects/stones-instruction_think.php  hosted on (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domains buzziskin.net and  indice-acores.net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless.

No comments: