Date: Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From: Discover Card [email@example.com]
Access My Account
ACCOUNT CONFIRMATION Statements | Payments | Rewards
Your most recent payment has been processed.
This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.
To view more details please click here.
Log In to review your account details or to make additional changes.
Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
Don't miss out—sign up to get exclusive offers via e-mail from Discover.
Facebook Twitter I Love Cashback Bonus Blog Mobile
Add firstname.lastname@example.org to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.
This e-mail was sent to [redacted].
You are receiving this Discover e-mail as a confirmation of your account activity.
Log in to update your e-mail address or view your account e-mail preferences.
If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.
Please do not reply to this e-mail as we are not able to respond to messages sent to this address.
DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.
Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2013 Discover Bank, Member FDIC
The link in the email goes to a legitimate hacked site and then one to three scripts as follows:
After that, the victim is directed to the malware landing page at [donotclick]capitalagreements.com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 126.96.36.199 (Linode, US), along with several other hijacked domains.
The attack is fundamentally the same as this American Express themed malspam run described here.