Date: Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]The link in the email goes through a legitimate hacked site and then redirects through one of the following three scripts:
From: "Fire@irs.gov" [firstname.lastname@example.org]
Subject: Invalid File Email Reminder
We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:
Filename # of Times
Been Sent Tax
ORIG.62U55.2845 2 2012
If you did not know your file contained invalid data, the results are posted on the FIRE (Filing Information Returns Electronically) System within two business days of your transmission. It is your onus to check your filing results. To view your file results open the page: Check File Status.
If you have sent an acceptable file that you think replaces the above file(s) or if you are uncertain how to resolve the errors in your file(s), please contact the IRS/Information Returns Branch: Please fill in the contact form;
The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole.org/topic/latest-blog-news.php hosted on 18.104.22.168 (A2 Hosting, US) along with several other hijacked domains listed in italics below.