Date: Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
From: support@orders.staples.com
Subject: Staples order #: 1353083565
Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
Customer No.:1278823232 Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135
Item1 Qty. Subtotal
DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS 2 $125.26
Item2 Qty. Subtotal
DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS 2 $124.03
Subtotal:: $243.59
Delivery: FREE
Tax: $17.66
Total: $250.35
Your order is subject to review and the expected delivery date(s) noted above are pending credit or check approval.
Won't be there to sign for your order from 9 am to 5 pm, Monday - Friday. Print ourDriver Release. Some residential orders may be delivered by UPS as late as 7 pm.
Questions about your order? Call us at 1-800-3STAPLE (1-800-378-2753) or email us atsupport@orders.staples.com. You can also fax us at 1-800-333-3199.
See our return policy.
Our prices vary from store prices. Not responsible for typographical errors. Not all items are available. We reserve the right to limit quantities, including the right to prohibit sales to resellers.
Thanks for shopping Staples.
[snip]
[donotclick]algmediation.org/inventory/symphony.js
[donotclick]apptechgroups.net/katharine/bluejacket.js
[donotclick]ctwebdesignshop.com/marquetry/bucket.js
From there the victim is redirected to a malware landing page at [donotclick]tootle.us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another hijacked GoDaddy domain (there are some more on this server, listed below in italics).
Recommended blocklist:
23.92.22.75
tootle.us
tungstenrents.com
tweetbyte.com
algmediation.org
apptechgroups.net
ctwebdesignshop.com
No comments:
Post a Comment