This fake Amazon.com spam leads to malware on
goldcoinvault.com:
Date: Tue, 11 Jun 2013 14:25:21 -0600 [16:25:21 EDT]
From: "Amazon.com Customer Care Service" [payments-update@amazon.com]
Subject: Payment for Your Amazon Order # 104-884-8180383
Regarding Your Amazon.com Order
| Order Placed: June 11, 2013 |
| Amazon.com order number: 104-884-8180383 |
| Order Total: $2761.86 |
|
|
We're writing to let you know that we are having difficulty processing your payment for the above
transaction. To protect your security and privacy, your issuing bank cannot provide us with
information regarding why your credit card was declined.
However, we suggest that you double-check the billing address, expiration date and cardholder name
that you entered; if entered incorrectly these will sometimes cause a card to decline. There is no
need to place a new order as we will automatically try your credit card again.
There are a few steps you can take to make the process faster:
1. Verify the payment information for this order is correct (expiration date, billing address, etc).
You can update your account and billing information at :
https://www.amazon.com/gp/css/summary/edit.html?ie=UTF8&orderID=104-884-8180383
2. Contact your issuing bank using the number on the back of your card to learn more about their
policies. Some issuers put restrictions on using credit cards for electronic or internet
purchases. Please have the exact dollar amount and details of this purchase when you call the
bank. If paying by credit card is not an option, buy Amazon.com Gift Card claim codes with cash
from authorized resellers at a store near you. Visit www.amazon.com/cashgcresellers to learn
more.
Thank you for shopping at Amazon.com. Sincerely, Amazon.com Customer Service
http://www.amazon.com
Please note: This e-mail was sent from a notification-only address that cannot accept incoming
e-mail. Please do not reply to this message..
|
|
|
To view more details click Order Summary.
Please note: This is not a VAT invoice.
Conditions of Use | Privacy Notice 1996-2013, Amazon.com, Inc. or its affiliates
The link in the email goes through a legitimate hacked site to an intermediate page with the following redirectors:
[donotclick]ftp.blacktiedjent.com/mechanic/vaccinated.js
[donotclick]piratescoveoysterbar.com/piggybacks/rejoiced.js
[donotclick]nteshop.es/tsingtao/flanneling.js
..from there it hits the main malware payload site at
[donotclick]goldcoinvault.com/news/pictures_hints_causes.php (
report here) hosted on
goldcoinvault.com which is a hacked GoDaddy domain hijacked to point at
173.255.213.171 (Linode, US). This same server is very active and has been spotted
here and
here, also using hacked GoDaddy domains, but right at the moment the malware page appears to be 403ing which is good.
These following domains appear to be pointing to that server:
ccrtl.com
chrisandannwedding.com
chriscarlson.com
eaglebay5.com
eaglebay-eb5.com
freepokermoney.com
goldcoinvault.com
gosuccessmode.com
hraforbiz.com
margueritemcenery.com
mceneryfinancial.com
megmcenery.com
page10development.com
shrinerapparel.com
shrinersapparel.com
shrinersapparel.net
supportquilting.com
taxfreeincomenow.com
taxfreeincomenow.info
taxfreeincomenow.net
taxfreeincomenow.org
tmgfinancial.org
tmginsurance.org
uniformexpert.com
uniformexperts.com
uniformoutfitter.net
uniformoutfitters.net
wcaband.org
1 comment:
Page still active and drops 2 payloads
Post a Comment