Date: Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
From: eBay [eBay@reply1.ebay.com]
Subject: [redacted] welcome to the eBay community!
Items selected just for you.
View this message in your browser eBay Buyer Protection
ebay™ Fashion Electionics Collectibles Daily Deals Sell To Buy
Welcome to eBay. The simpler and safer way to shop and save.
You've got options when it comes to paying.
Learn more to protect yourself from spoof (fake) e-mails
eBay Inc. sent this e-mail to you at [redacted] because your Notification Preferences indicate that you want to receive general email promotions.
Copyright © 2013 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc.
eBay Inc. is located at 2145 Hamilton Avenue, San Jose, CA 95125.
The link in the email goes to a legitimate hacked site and then runs one or more scripts from the following list of three:
The victim is then sent to a malware landing page at [donotclick]artimagefrance.com/topic/accidentally-results-stay.php hosted on 22.214.171.124 (Secured Servers LLC, US / Jolly Works Hosting, Philippines). I would recommend blocking 126.96.36.199/28 in this case.
The domain is a hijacked GoDaddy domain, and the following hijacked domains appear to be in the neighbourhood. Ones flagged by Google as malware already are highlighted, although all should be considered as malicious.