Date: Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From: Facebook [firstname.lastname@example.org]
Subject: Victoria Carpenter commented on your status
|This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.|
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem.cz/5xxb8 then [donotclick]18.104.22.168/exhortation/index.html where it attempts to load one of the following three scripts:
These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 22.214.171.124 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy and listed in italics below.