From: Amazon.com [firstname.lastname@example.org]
Reply-To: "Amazon.com" [email@example.com]
Date: 3 October 2013 15:43
Subject: Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!
| Your Account | Amazon.com
Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Thursday, Oct 3, 2013 -
Friday, Oct 4, 2013
Your shipping speed:
Next Day Air
Your order was sent to:
1235 Sunset Dr
San Paolo, NE 69700-0290
Placed on Wensday, May 29, 2013
Canon EOS 60D DSLR 22.3 MP Full Frame CMOS with 1080p Full-HD Video Mode Digital SLR Camera (Body)
Sold by Electronic Express, Inc.
Facebook Twitter Pinterest
Item Subtotal: $1,397.99
Shipping & Handling: $0.00
Total Before Tax: $1,397.99
Estimated Tax: $0.00
Order Total: $1,397.99
To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.
Thank you for shopping with us.
Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
How the email address was extracted from Comparethemarket.com is not known.
The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
This redirects the victim to a malware page at [donotclick]globalrealty-nyc.info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 220.127.116.11 (Linode, US). THis is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.