From: David O'Connor - LinkedIn [mailto:email@example.com]The link in the message goes through a legitimate hacked site to a malware landing page on [donotclick]applockrapidfire.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php (report here) hosted on 220.127.116.11 (Hetzner, Germany). applockrapidfire.biz was registered just today to a presumably fake address:
Sent: 18 March 2013 15:34
Subject: Join my network on LinkedIn
From David O\'Connor (animator at ea)
There are a total of 9 messages awaiting your response. Go to InBox now.
This message was sent to firstname.lastname@example.org. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.
1639 Heather Sees Way
URLquery detects traffic to these additional IPs that you might want to block too:
18.104.22.168 (Softlayer / Maxmind LLC, US)
22.214.171.124 (Secured Servers LLC / Phoenix NAP, US)
126.96.36.199 (ADM Service Ltd, Monaco)
The nameservers are NS1.QUANTUMISPS.COM (188.8.131.52: Hetzner, Germany) and NS2.QUANTUMISPS.COM (184.108.40.206: Secured Servers LLC / Phoenix NAP, US). quantumisps.com was registered to an anonymous person on 2013-03-15.