Sponsored by..

Monday, 20 March 2017

More highly personalised malspam using hijacked domains

Following on from this spam some weeks ago, another one comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).

From: customerservice@newshocks.com [mailto:customerservice@newshocks.com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details




Hello [redacted],
We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
If you have an online account with us, you can log in here to see the current status of your order.
You will receive another e-mail from us when we have despatched your order.
Information on order 003009 status here
All prices include VAT at the current rate. A full VAT receipt will be included with your order.
Delivery Address:

[Name and address redacted]

If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
Best regards and many thanks,

Contact Us Opening Times Delivery Options Returns Policy Privacy Policy Terms & Conditions


The newshocks.com domain used in the "From" field matches the sending server of rel209.newshocks.com (also mail.newshocks.com) on 185.141.164.209. This appears to be a legitimate but unused domain belonging to a distributor of car parts.

The link in the email goes to clipartwin.com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit or similar. This is using another hijacked but apparently legitimate web server.

I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient. If you have seen something similar or have an idea of where the data came from, please leave a comment below.


2 comments:

Karl Crompton said...

For me they used an address that I haven't used for 5 years.

On the same day I got a much more convincing e-mail from no-reply@bayfronttowerhairsalon.com with Royal Mail Tracking numbers.

Robert Jeffrey said...

I got one of these on 16/3/17. As I had recently placed an order on ebay,
I clicked on the "Your Order Information" link thinking it was to do with that. This took me straight to my documents folder inviting me to download it. I cancelled and did some checking. Glad I did. Only came across this blog today. Scary how easily this can happen!