Date: Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From: Facebook [firstname.lastname@example.org]
Subject: Victoria Carpenter commented on your status
|This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.|
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem.cz/5xxb8 then [donotclick]126.96.36.199/exhortation/index.html where it attempts to load one of the following three scripts:
These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 188.8.131.52 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy and listed in italics below.