Date: Fri, 18 Jan 2013 08:58:56 +0600 [21:58:56 EST]
Subject: Fwd: Wire Transfer Confirmation (FED_59983S76643)
Dear Bank Account Operator,
WIRE TRANSFER: FED86180794682707910
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]dfudont.ru:8080/forum/links/column.php hosted on:
188.8.131.52 (Garant-Park-Telecom, Russia)
184.108.40.206 (Proservis UAB, Lithunia)
220.127.116.11 (ip4 GmbH, Germany)
These IPs have been used in several malware attacks recently blocking them is a good idea. The following malicious domains are also present on these servers:
Update: there is also a fake Sendspace spam sending visitors to the same payload
Date: Thu, 17 Jan 2013 03:03:55 +0430
From: Badoo [email@example.com]
Subject: You have been sent a file (Filename: [redacted]_N584581.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]_N390.pdf, (973.39 KB) waiting to be downloaded at sendspace.(It was sent by JOHNETTE ).
You can use the following link to retrieve your file:
Sendspace, the best free file sharing service.