From: Royal Mail noreply@royalmail.com
Date: 27 February 2014 14:50
Subject: Royal Mail Shipping Advisory, Thu, 27 Feb 2014
Royal Mail Group Shipment Advisory
The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE
For more details please follow the link below - http://www.royalmail.com/track-trace?=GB36187692IE
SHIPMENT CONTENTS: Insurance Form
SHIPPER REFERENCE: Please refer to the Royal Mail Shipping Services
ADDITIONAL MESSAGE FROM SHIPPER: Please refer to the Royal Mail Shipping Services
Royal Mail Group Ltd 2014. All rights reserved
This is a ThreeScripts attack, the link in the email goes to:
[donotclick]wagesforinterns.com/concern/index.html
and it then runs one or more of the following scripts:
[donotclick]billigast-el.nu/margarita/garlicky.js
[donotclick]ftp.arearealestate.com/telecasted/earners.js
[donotclick]tattitude.co.uk/combines/cartooning.js
in this case the payload site is at
[donotclick]northwesternfoods.com/sg3oyoe0v2
which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites (listed below in italics). The payload appears to be an Angler Exploit Kit (see this example).
Recommended blocklist:
23.239.12.68
billigast-el.nu
ftp.arearealestate.com
tattitude.co.uk
n2ocompanies.com
northerningredients.com
northwesternfoods.com
oziama.com
oziama.net