Date: Thu, 22 Aug 2013 16:14:59 +0000 [12:14:59 EDT]
From: Discover Card [email@example.com]
Subject: Your account login information updated
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your account login information has been updated.
This e-mail is to confirm that you have updated your log-in information for Discover.com. Please remember to use your new information the next time you log in.
Log In to review your account details or to make additional changes.
Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
Don't miss out—sign up to get exclusive offers via e-mail from Discover.
Facebook Twitter I Love Cashback Bonus Blog Mobile
Add firstname.lastname@example.org to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.
This e-mail was sent to [redacted].
You are receiving this Discover e-mail as a confirmation of your account activity.
Log in to update your e-mail address or view your account e-mail preferences.
If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.
Please do not reply to this e-mail as we are not able to respond to messages sent to this address.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2012 Discover Bank, Member FDIC
The link in the email uses the Twitter redirection service to go to [donotclick]t.co/9PsnfeL8hh then [donotclick]x.co/1neIk then [donotclick]activegranite.com/vocatives/index.html and finally to a set of three scripts as follows:
From this point the victim ends up at the malicious payload at [donotclick]abemuggs.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 220.127.116.11 (Linode, US).
At the moment, I can only see abemuggs.com active on 18.104.22.168, however other domains in the same GoDaddy account may be hijacked as well. If you see unexpected traffic going to the following domains then it may be malicious:
I would strongly recommend the following blocklist: