From: Amazon.com [ship-confirm@amazon.com]
Reply-To: "Amazon.com" [ship-confirm@amazon.com]
Date: 3 October 2013 15:43
Subject: Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!
Amazon.com
Kindle Store
| Your Account | Amazon.com
Order Confirmation
Order #159-2060285-0376154
[redacted]
Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Thursday, Oct 3, 2013 -
Friday, Oct 4, 2013
Your shipping speed:
Next Day Air
Your Orders
Your order was sent to:
Evan Young
1235 Sunset Dr
San Paolo, NE 69700-0290
United States
Order Details
Order #159-2060285-0376154
Placed on Wensday, May 29, 2013
Canon EOS 60D DSLR 22.3 MP Full Frame CMOS with 1080p Full-HD Video Mode Digital SLR Camera (Body)
Electronics
In Stock
Sold by Electronic Express, Inc.
Facebook Twitter Pinterest
$1,397.99
Item Subtotal: $1,397.99
Shipping & Handling: $0.00
Total Before Tax: $1,397.99
Estimated Tax: $0.00
Order Total: $1,397.99
To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.
Thank you for shopping with us.
Amazon.com
DVD
Books
Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
How the email address was extracted from Comparethemarket.com is not known.
The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]berkahabadi.de/unclear/unsettle.js
[donotclick]sigmarho.zxq.net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online.de/creel/eccentrically.js
This redirects the victim to a malware page at [donotclick]globalrealty-nyc.info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). THis is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.
Recommended blocklist:
96.126.103.252
globalrealty-nyc.info
berkahabadi.de
sigmarho.zxq.net
wni9e7311.homepage.t-online.de