Sponsored by..

Tuesday 11 June 2013

Amazon.com spam / goldcoinvault.com

This fake Amazon.com spam leads to malware on goldcoinvault.com:

Date:      Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From:      "Amazon.com Customer Care Service" [payments-update@amazon.com]
Subject:      Payment for Your Amazon Order # 104-884-8180383

Regarding Your Amazon.com Order

Order Placed: June 11, 2013
Amazon.com order number: 104-884-8180383
Order Total: $2761.86

Sony VAIO E Series SVE11135CXW 11.6-Inch Laptop (White)

Sony KDL50EX645 50-Inch 1080p 120HZ Internet Slim LED HDTV (Black)

Sony DSC-H200 Digital Camera with 3-Inch LCD (Black)



Payment Problem
We're writing to let you know that we are having difficulty processing your payment for the above 
transaction.  To protect your security and privacy, your issuing bank cannot provide us with 
information regarding why your credit card was declined. 

However, we suggest that you double-check the billing address, expiration date and cardholder name 
that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no 
need to place a new order as we  will automatically  try your credit card again.

There are a few steps you can take to make the process faster:  

1. Verify the payment information for this order is correct (expiration date, billing address, etc). 
You can update your account and billing information at : 

https://www.amazon.com/gp/css/summary/edit.html?ie=UTF8&orderID=104-884-8180383 
 
2. Contact your issuing bank using the number on the back of your card to learn more about their 
policies. Some issuers put restrictions on using credit cards for electronic or internet 
purchases.  Please have the exact dollar amount and details of this purchase when you call the 
bank.  If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash 
from authorized resellers at a store near you. Visit www.amazon.com/cashgcresellers to learn 
more.  

Thank you for shopping at Amazon.com.  Sincerely, Amazon.com Customer Service 
http://www.amazon.com  

Please note: This e-mail was sent from a notification-only address that cannot accept incoming
 e-mail. Please do not reply to this message..
To view more details click Order Summary.
Please note: This is not a VAT invoice.

Conditions of Use | Privacy Notice 1996-2013, Amazon.com, Inc. or its affiliates

The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent.com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar.com/piggybacks/rejoiced.js
[donotclick]nteshop.es/tsingtao/flanneling.js

..from there it hits the main malware payload site at [donotclick]goldcoinvault.com/news/pictures_hints_causes.php (report here) hosted on goldcoinvault.com which is a hacked GoDaddy domain hijacked to point at 173.255.213.171 (Linode, US). This same server is very active and has been spotted here and here, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good.

These following domains appear to be pointing to that server:
ccrtl.com
chrisandannwedding.com
chriscarlson.com
eaglebay5.com
eaglebay-eb5.com
freepokermoney.com
goldcoinvault.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
page10development.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org





1 comment:

Unknown said...

Page still active and drops 2 payloads