Thursday, 16 May 2013 spam /

This fake Walmart spam leads to malware on

From: []
Date:     16 May 2013 14:02
Subject:     Thanks for your Order 3795695-976140

Visit Walmartcom  |     Help  |     My Account  |     Track My Orders

Thanks for ordering from We're currently processing your order.
Items in your order selected for shipping

• You'll receive another email, with tracking information, when your order ships.

• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
      Ship to Home    

Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA     Order Number: 3795695-976140
Ship to Home - Standard
Items     Qty     Arrival Date     Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV     1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service Total:     $960.86
Order Summary
Order Date:     05/15/2013
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
Order Total:     $960.86
Credit card:     $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to or reply to this email and let us know how we can help.

Your Customer Service Team

Rollbacks     Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
© USA, LLC, All Rights Reserved.

 The link goes through a legitimate hacked site and ends up on a malware page at [donotclick] (report here) hosted on: (Verizon, US) (Matt Martin Real Estate Management / Rackspace, US)

The WHOIS details are characterstic of the Amerika gang:
   Administrative Contact:
   McDonough, Tara
   38 Wee Burn Lane
   DARIEN, CO 06820

Blocklist (including nameservers):


Gwenwyn Brightwood said...

Our company got a couple of the same thing linking to these sites:

Same amount, same exact wording, excepting different names and addresses. Every single one is for the same 'total.'

Conrad Longmore said...

@Gwenwyn, the URL in the email is always a legitimate hacked site which leads to a redirector which *then* bounces the victim to the payload site. It's a clever trick as it helps to bypass URL-based spam filtering.

Darryl LaRocque said...

don't click on anything. If you are concerned go to your browser and enter the actual website.

Darryl LaRocque said...

don't click on anything. if you are concerned go directly to the website manually in your browser. Hyperlinks are not always what they claim to be.

A said...

Does anyone know the extent of damage this thing does if you click the link and receive the payload? It seems to be changing some settings in IE, but beyond that I can't tell if anything else is going on.