Date: Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From: Facebook [notification+W85BNFWX@facebookmail.com]
Subject: You have 21 friend suggestions, 11 friend requests and 14 photo tags
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've missed from your friends.
11 friend requests
21 friend suggestions
14 photo tags
Go to Facebook
This message was sent to [redacted]. If you don't want to receive these emails
from Facebook in the future, please unsubscribe.Facebook, Inc., Attention: Department
415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
This leads to a malware landing page hosted on a hijacked GoDaddy domain at [donotclick]directgrid.org/topic/lairtg-nilles-slliks.php hosted on 188.8.131.52 (Linode, US) where there are a number of other hijacked domains (listed below in italics)