From: firstname.lastname@example.org [mailto:email@example.com]The newshocks.com domain used in the "From" field matches the sending server of rel209.newshocks.com (also mail.newshocks.com) on 126.96.36.199. This appears to be a legitimate but unused domain belonging to a distributor of car parts.
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details
Hello [redacted],We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.If you have an online account with us, you can log in here to see the current status of your order.You will receive another e-mail from us when we have despatched your order.Information on order 003009 status here
All prices include VAT at the current rate. A full VAT receipt will be included with your order.
Delivery Address: [Name and address redacted] If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.Best regards and many thanks,
The link in the email goes to clipartwin.com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit or similar. This is using another hijacked but apparently legitimate web server.
I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient. If you have seen something similar or have an idea of where the data came from, please leave a comment below.