Date: Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]The link in the email goes through a legitimate hacked site and then on to three scripts as follows:
From: Fax Message [message@inbound.efax.com]
Subject: Fax Message at 2013-08-07 01:54:34 EST
Blue Bar
Fax Message
You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.
* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission start time for this fax is .
Click here to view this message in your web browser
Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.
Thank you for using jConnect!
Home|Contact|Login
Powered by j2
2013 j2 Global Communications, Inc. All rights reserved.
jConnect is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the jConnect Customer Agreement.
[donotclick]v3dev.eu/conciseness/bragging.js
[donotclick]masperblog.it/manacle/barnaul.js
[donotclick]shop.zhengtugps.com/submissions/snipped.js
From then on the victim is sent to a payload site at [donotclick]eliehabib.com/topic/seconds-exist-foot.php which is a hacked domain registered by GoDaddy, hosted on 173.246.105.15 (Gandi, US). There are probably other malicious domains that I cannot see on the same server.
Recommended blocklist:
173.246.105.15
v3dev.eu
masperblog.it
shop.zhengtugps.com
eliehabib.com


 
 
No comments:
Post a Comment