Date: Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]
From: Dropbox [firstname.lastname@example.org]
Subject: Please update your Expired Dropbox Password
We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new one to log in.
Please visit the page to update your password
- The Dropbox Team
The link in the email goes through a legitimate hacked site and then on to a set of three scripts:
From there the victim is delivered to a malware landing page at [donotclick]adelect.com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 126.96.36.199 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server listed below in italics.