From: Wallmart.com [deviledm978@news.wallmart.com]
Date: 16 May 2013 14:02
Subject: Thanks for your Walmart.com Order 3795695-976140
Walmart
Visit Walmartcom | Help | My Account | Track My Orders
[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
Ship to Home
Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
Walmart.com Order Number: 3795695-976140
Ship to Home - Standard
Items Qty Arrival Date Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV 1 Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home. $898.00
Subtotal: $898.00
Shipping: Free
Tax: $62.86
See our Returns Policy or
contact Customer Service Walmart.com Total: $960.86
Order Summary
Order Date: 05/15/2013
Subtotal: $898.00
Shipping: Free
Tax: $62.86
Order Total: $960.86
Credit card: $960.86
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,
Your Walmart.com Customer Service Team
www.walmart.com
Rollbacks Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
©Walmart.com USA, LLC, All Rights Reserved.
The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable.com/news/ask-index.php (report here) hosted on:
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
The WHOIS details are characterstic of the Amerika gang:
Administrative Contact:
McDonough, Tara ukcastlee@mail.com
38 Wee Burn Lane
DARIEN, CO 06820
US
2036566697
Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net
5 comments:
Our company got a couple of the same thing linking to these sites:
hypnose-reussite.com
bodysoulnn.ru
Same amount, same exact wording, excepting different names and addresses. Every single one is for the same 'total.'
@Gwenwyn, the URL in the email is always a legitimate hacked site which leads to a redirector which *then* bounces the victim to the payload site. It's a clever trick as it helps to bypass URL-based spam filtering.
don't click on anything. If you are concerned go to your browser and enter the actual website.
don't click on anything. if you are concerned go directly to the website manually in your browser. Hyperlinks are not always what they claim to be.
Does anyone know the extent of damage this thing does if you click the link and receive the payload? It seems to be changing some settings in IE, but beyond that I can't tell if anything else is going on.
Post a Comment