Sponsored by..

Showing posts sorted by date for query 59.57.247.185. Sort by relevance Show all posts
Showing posts sorted by date for query 59.57.247.185. Sort by relevance Show all posts

Saturday, 29 December 2012

FedACH Announcement spam / incinteractive.net

This fake whatever-the-heck-it-is spam leads to malware on incinteractive.net:
Date:      Fri, 28 Dec 2012 22:45:28 +0900
From:      "Federal Reserve Banking Services@sys.frb.org" [ACHR_58976105@FedMail.frb.org]
Subject:      FedMail (R): FedACH Announcement - End of Day - 12/27/12

Please overview the ACH Advice Statement from the Federal Reserve System by clicking here.
The malicious payload is at [donotclick]incinteractive.net/detects/wishs_continually.php hosted on the well-known IP of 59.57.247.185 in China which also hosts these following malicious domains:

sessionid0147239047829578349578239077.pl
tv-usib.com
atsushitani.com
proxfied.net
incinteractive.net
timesofnorth.net
latticesoft.net
incinteractive.net


Friday, 28 December 2012

IRS Spam / tv-usib.com

This fake IRS spam leads to malware on tv-usib.com:
Date:      Thu, 27 Dec 2012 22:14:44 +0400
From:      Internal Revenue Service [information@irs.gov]
Subject:      Your transaction is not approved

Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.

Canceled Tax transfer
Tax Transaction ID:     3870703170305
Rejection ID     See details in the report below
Federal Tax Transaction Report     tax_report_3870703170305.pdf (Adobe Acrobat Document)

Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon
The malicious payload is at [donotclick]tv-usib.com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:


sessionid0147239047829578349578239077.pl
tv-usib.com
proxfied.net
timesofnorth.net
latticesoft.net

Wednesday, 26 December 2012

E-billing spam / proxfied.net

There are various e-billing spam emails circulating today, pointing to malware on proxfied.net:


Date:      Wed, 26 Dec 2012 18:49:37 +0300
From:      alets-no-reply@customercenter.citibank.com
Subject:      Your Further eBill from Citibank Credit Card


       
Member: [redacted]

Add alerts@serviceemail2.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
New eBill Available

   
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 175.36
Minimum Amount Due: 175.36

How do I view this bill?
1. Sign on to Citibank Online using this link.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to review your bill details. Select the icon to see your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on by clicking this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care Service
P. O. Box 6200
Sioux Hills, SD 57870

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

3843054050826645

1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187

====================


Date:      Wed, 26 Dec 2012 10:50:38 -0500
From:      alerts@serviceemail6.citibank.com
To:      [redacted]
Subject:      Your got Renewed eBill Available from AT&T Bill


       
Member: [redacted]

Add citibankonline@customercenter.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
Fresh eBill Available

   
Account Number: **************4
Due Date: 12/28/2012
Amount Due: 74.93
Minimum Amount Due: 74.93

How do I view this bill?
1. Sign on to Citibank Online clicking this link.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to overview your bill details. Select the icon to see your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact AT&T Bill directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its objective is to help you check that the e-mail was real sent by Citibank. If you have questions, please click "Contact Us" link at the nottom of this message. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on clicking here and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

Should you going to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 9000
Sioux Falls, SD 57897

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at this link and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

7835212473101882

8/6J/472774/910/JM/TK/XD/9078/SYSTE2T /GI793670607303856/5644

====================


Date:      Wed, 26 Dec 2012 17:37:12 +0200
From:      alerts@customercenter.citibank.com
To:      <[redacted]>
Subject:      Your just received Fresh eBill Ready for review from Citibank Credit Card


       
Member: [redacted]

Add customerservice@serviceemail9.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
Fresh eBill Should Be Complete

   
Account Number: **************0
Due Date: 28/22/2012
Amount Due: 529.80
Minimum Amount Due: 529.80

How do I view this bill?
1. Sign on to Citibank Online by clicking here.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to see your bill details. Select the icon to get your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its aim is to help you check that the e-mail was actually sent by Citibank. If you have questions, please visit our Contact Us page. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on clicking here and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 9000
Sioux Falls, SD 30415

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at click here and clicking on "Contact Us" from the "Help / Contact Us" menu.

© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

3612654275931761

2/IC/009813/854/GU/7J/5F/0102/SYSTE0T /J4044525669689549/3261

====================


Date:      Wed, 26 Dec 2012 09:04:44 -0600
From:      alets-no-reply@serviceemail6.citibank.com
To:      <[redacted]>
Subject:      New eBill is Now Available. From: AT&T Bill


       
Member: [redacted]

Add customerservice@citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Fresh eBill Ready for review

   
Account Number: **************4
Due Date: 12/28/2012
Amount Due: 232.34
Minimum Amount Due: 232.34

How do I view this bill?
1. Sign on to Citibank Online by clicking here.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to see your bill details. Select the icon to get your bill summary.

Please not try to reply to this message.

If you have any questions about your bill, please contact AT&T Bill directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you be sure that the e-mail was in reality sent by Citibank. If you have questions, please visit our Contact Us page. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign in using this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care Service
P. O. Box 5800
Sioux Hills, NC 52846

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at click to open and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

5252192738554872

8/B8/851199/374/4J/PL/0Y/1754/SYSTEYZ /S7493944434265957/9990

====================


Date:      Wed, 26 Dec 2012 09:54:12 -0500
From:      customerservice@citibank.com
To:      <[redacted]>
Subject:      Your Further eBill from American Express


       
Member: [redacted]

Add customerservice@serviceemail8.citibank.com to your address book to ensure delivery.

Your Account: Important Note
   
Fresh eBill Available

   
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 56.92
Minimum Amount Due: 56.92

How do I view this bill?
1. Sign on to Citibank Online clicking this link.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to overview your bill details. Select the icon to show your bill summary.

Please do not reply to this message.

If you have any questions about your bill, please contact American Express directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its target is to help you check that the e-mail was really sent by Citibank. If you have questions, please click "Contact Us" link at the nottom of this message. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on with this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 6000
Sioux Wheels, NC 56012

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at this link and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

4530267461705664

6/2P/193057/917/70/O0/HE/0121/SYSTER5 /9I438409026123046/3702
The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:

sessionid0147239047829578349578239077.pl
latticesoft.net
proxfied.net

Thursday, 13 December 2012

Citibank spam / eaglepointecondo.biz

This fake Citibank spam leads to malware on eaglepointecondo.biz:


Date:      Thu, 13 Dec 2012 16:59:14 +0400
From:      "Citi Alerts" [lubumbashiny63@bankofdeerfield.com]
Subject:      Account Operation Alert

EMAIL SAFETY AREA    
       
ATM/Credit card ending in: XXX8    
       
Notifications System
   
Wire Transaction Issued

Ultimate Savings Account (USA) XXXXXXXXX5
Amount Withdrawn: $4,564.61
Date: 12/12/12


Sign In to Abort Details
   
Wire Transaction Issued

Ultimate Savings Account (USA) XXXXXXXXX5
Amount Debited: $.24
Date: 12/12/12

Login to Overview Operation
   
ABOUT THIS MESSAGE

Please DO NOT reply to this message. auto-notification system can't accept incoming mail.
   
Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

====================

From: Citibank - Alerts [mailto:enormityyf10@iztzg.hr]
Sent: 13 December 2012 12:50
Subject: Account Operation Alert
Importance: High

EMAIL SAFETY AREA
        
ATM/Credit card ending in: XXX6   
 
Notifications System

Bill Payment

Checking XXXXXXXXX7
Amount Withdrawn: $5,951.56
Date: 12/12/12

Visit this link to Cancel Detailed information

Bill Payment

Checking XXXXXXXXX7
Amount Debited: $.14
Date: 12/12/12

Login to Review Operation

ABOUT THIS MESSAGE

Please don't reply to this message. auto informer system unable to accept incoming mail.    
            
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

====================

From: Citibank - Service [mailto:goaliesj79@wonderware.com]
Sent: 13 December 2012 12:59
Subject: Account Alert
Importance: High

EMAIL SAFETY ZONE

ATM/Debit card ending in: XXX8      

Alerting System

Withdraw Message

Savings Account XXXXXXXXX4
Amount Debited: $1,218.42
Date: 12/12/12

Login to Abort Operation

Withdraw Message

Savings Account XXXXXXXXX4
Amount Withdrawn: $.42
Date: 12/12/12

Sign In to Overview Operation

ABOUT THIS MESSAGE
Please DO NOT reply to this message. auto-notification system not configured to accept incoming mail.       
              
Citibank, N.A. Member FDIC.
2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

The malicious payload is on [donotclick]eaglepointecondo.biz/detects/operation_alert_login.php hosted on 59.57.247.185 in China, the same IP has been used several times for evil recently and you should block it if you can.

Wednesday, 12 December 2012

Citibank spam / platinumbristol.net

This fake Citibank spam leads to malware on platinumbristol.net:

From:     citibankonline@serviceemail1.citibank.com via pado.com.br
Date:     12 December 2012 15:38
Subject:     Account Alert
Mailed-by:     pado.com.br

Citi    
Email Security Zone     EMAIL SECURITY AREA    
   
ATM/Credit card ending in: XXX7      
 
Alerting System
   
Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX2
Amount Debited: $2,973.22
Date: 12/12/12

Log In to Overview Transaction
       
Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX2
Amount Credited: $.97
Date: 12/12/12

Visit this link to Overview Detailed information
   
ABOUT THIS MESSAGE
Please DO NOT reply to this message. auomatic informational system unable to accept incoming messages.
              
Citibank, N.A. Member FDIC.
Å  2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

========================

From:     citibankonline@serviceemail5.citibank.com via clickz.com
Date:     12 December 2012 15:39
Subject:     Account Notify
Mailed-by:     clickz.com

Citi    
Email Security Zone     EMAIL SAFETY AREA      
            
ATM/Debit card ending in: XXX7      
 
Alerting System

Money Transfer Report

Savings Account XXXXXXXXX8
Amount Withdrawn: $3,620.11
Date: 12/12/12

Visit this link to Cancel Details

Money Transfer Report

Savings Account XXXXXXXXX8
Amount Withdrawn: $.38
Date: 12/12/12

Sign In to Overview Details

ABOUT THIS MESSAGE
Please Not try to reply to this message. automative notification system unable to accept incoming messages.
      
Citibank, N.A. Member FDIC.
© 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc. 

========================

Date:      Wed, 12 Dec 2012 23:16:15 +0700
From:      alets-no-reply@serviceemail6.citibank.com
Subject:      Account Insufficient funds

EMAIL SAFETY ZONE    
       
ATM/Debit card ending in: XXX0    
       
Notifications System
   
Transaction Announcement

Ultimate Savings Account (USA) XXXXXXXXX4
Amount Debited: $4,222.19
Date: 12/12/12

Login to Abort Detailed information

Transaction Announcement

Ultimate Savings Account (USA) XXXXXXXXX4
Amount Credited: $.41
Date: 12/12/12

Go to web site by clicking here to See Operation

ABOUT THIS MESSAGE

Please Not try to reply to this message. automative notification system cannot accept incoming mail.
   
Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.

========================


Date:      Wed, 12 Dec 2012 20:07:46 +0400
From:      citibankonline@serviceemail8.citibank.com
Subject:      Account Operation Alert

EMAIL SECURITY ZONE    
       
Credit card ending in: XXX0    
       
Notifications System
   
Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX3
Amount Credited: $5,970.51
Date: 12/12/12

Click Here to Review Transaction

Bill Payment

Ultimate Savings Account (USA) XXXXXXXXX3
Amount Withdrawn: $.11
Date: 12/12/12

Sign In to View Operation

ABOUT THIS MESSAGE

Please don't reply to this message. auomatic informational system cannot accept incoming mail.
   
Citibank, N.A. Member FDIC.

� 2012 Citigroup Inc. Citi with Arc Design and Citibank are registered service marks of Citigroup Inc.
The malicious payload is at [donotclick]platinumbristol.net/detects/alert-service.php hosted on the same 59.57.247.185 IP address in China that has been used in several recent attacks. This is definitely an IP to block if you can.

I can see the following evil domains on that same server:
eaglepointecondo.org
sessionid0147239047829578349578239077.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
eaglepointecondo.co
naky.net
ygsecured.ru
romoviebabenki.ru
robertokarlosskiy.su
platinumbristol.net

Monday, 10 December 2012

AICPA spam / eaglepointecondo.org

Yet another fake AICPA spam run today with a slightly different domain from before, now on eaglepointecondo.org:


Date:      Mon, 10 Dec 2012 18:51:38 +0100
From:      "AICPA" [info@aicpa.org]
Subject:      Tax return assistance fraud.

You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having any issues reading this email? Overview it in your favorite browser.

Suspension of CPA license due to income tax indictment

Valued AICPA participant,

We have been notified of your potential participation in income tax refund shady transactions for one of your customers. In concordance with AICPA Bylaw Head # 740 your Certified Public Accountant status can be terminated in case of the act of submitting of a phony or fraudulent tax return for your client or employer.

Please be informed of the complaint below and respond to it within 7 work days. The refusal to respond within this period will finish in cancellation of your Accountant status.

Delation.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===================


Date:      Mon, 10 Dec 2012 14:50:40 -0300
From:      "AICPA" [noreply@aicpa.org]
Subject:      Your accountant license can be end off.

You're receiving this message as a Certified Public Accountant and a part of AICPA.
Having problems reading this email? Review it in your browser.

Suspension of Accountant status due to tax return fraud prosecution

Respected AICPA member,

We have received a complaint about your alleged participation in income tax return fraudulent activity for one of your employees. In accordance with AICPA Bylaw Section No. 500 your Certified Public Accountant license can be terminated in case of the event of presenting of a false or fraudulent tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 3 work days. The rejection to provide the clarifications within this time-frame would abide in end off of your Certified Accountant Career.

SubmittedReport.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

In this case the malicious payload is at [donotclick]eaglepointecondo.org/detects/denouncement-reports.php hosted on 59.57.247.185 in China, as with the earlier spam run today.

AICPA spam / eaglepointecondo.co

This fake AICPA spam leads to malware on eaglepointecondo.co:


Date:      Mon, 10 Dec 2012 19:29:21 +0400
From:      "AICPA" [alerts@aicpa.org]
Subject:      Income fake tax return accusations.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having difficulties reading this email? Take a look at it in your browser.

Termination of Public Account Status due to income tax fraud allegations

Respected accountant officer,

We have received a denouncement about your probable interest in income tax return swindle for one of your customers. In concordance with AICPA Bylaw Head # 500 your Certified Public Accountant status can be revoked in case of the occurrence of submitting of a faked or fraudulent income tax return for your client or employer.

Please be notified below and provide explanation of this issue to it within 21 business days. The rejection to provide elucidation within this period would finish in end off of your CPA license.

SubmittedReport.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The malicious payload is at [donotclick]eaglepointecondo.co/detects/denouncement-reports.php hosted on 59.57.247.185 in China, which has been used a few times recently for malware distribution.



The following malicious domains appear to be on the same server:
moid.pl
securityday.pl
pleansantwille.com
labpr.com
ibertomoralles.com
shopgreatvideonax.com
zindt.net
naky.net
svictrorymedia.ru
ygsecured.ru
romoviebabenki.ru
addon.su
robertokarlosskiy.su
eaglepointecondo.co

Friday, 7 December 2012

AICPA spam / ibertomoralles.org

I haven't seen fake AICPA spam like this for a while, it leads to malware on ibertomoralles.org:

From:     AICPA [noreply@aicpa.org]
Date:     7 December 2012 16:55
Subject:     Your accountant license can be cancelled.

You're receiving this information as a Certified Public Accountant and a member of AICPA.
Having any problems reading this email? See it in your favorite browser.

AICPA logo
    
Revocation of CPA license due to income tax fraud accusations
Dear AICPA participant,

We have been informed of your potential involvement in tax return swindle   on behalf of one of your employers. In obedience to AICPA Bylaw Article 700 your Certified Public Accountant position can be discontinued in case of the aiding of filing of a phony or fraudulent income tax return for your client or employer.

Please be notified below and provide explanation of this issue to it within 14 work days. The rejection to provide elucidation within this time-frame would finish in decline of your Accountant status.

Delation.pdf


The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
===================

Date:      Fri, 7 Dec 2012 18:31:58 +0100
From:      "AICPA" [do-not-reply@aicpa.org]
Subject:      Tax return assistance contrivance.

You're receiving this note as a Certified Public Accountant and a part of AICPA.
Having any problems reading this email? See it in your favorite browser.

Cancellation of Public Account Status due to tax return indictment

Respected accountant officer,

We have received a note of your presumable interest in income tax fraud for one of your clients. In concordance with AICPA Bylaw Article 600 your Certified Public Accountant status can be discontinued in case of the event of submitting of a fake or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the complaint below and provide your feedback to it within 14 work days. The rejection to respond within this time-frame will result in end off of your CPA license.

Delation.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at [donotclick]ibertomoralles.org/detects/five-wise_leads_ditto.php hosted on the same Chinese IP address of 59.57.247.185 as used in this spam yesterday.

Thursday, 6 December 2012

eBay, PayPal spam / ibertomoralles.com

These spam messages lead to malware on ibertomoralles.com:


Date:      Thu, 6 Dec 2012 13:12:16 -0600
From:      "PayPal" [service@paypal.com]
Subject:      Your Ebay.com transaction details.

    Dec 5, 2012 09:31:49 CST

Transaction ID: U5WZP603SNLLWR5DT
Hello [redacted],

You sent a payment of $363.48 USD to Normand Akers.

It may take a several minutes for this transaction to appear in your transactions history.

Seller

Normand-Akers@aol.com

    Instructions to seller

You haven't entered any instructions.
Shipping address - confirmed
Hyde Rd
Glendale SC 58037-0659
United States
    Shipping details
The seller hasn't provided any shipping details yet.
Description     Qty.     Amount
NordicTrack Mini Cycle

Item# 118770508253     24     $363.48 USD
Shipping and handling     $24.99 USD
Insurance - not offered     ----
Total     $363.48 USD
Payment     $363.48 USD

Payment sent to Normand Akers    

Receipt ID: D-69NQRGN113A3A9UQ3

Issues with this transaction?

You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Please do not reply to this message. auto informer system unable to accept incoming messages. For immediate answers to your issues, visit our Help Center by clicking "Help" located on any PayPal page.

PayPal Email ID PZ147

==========


Date:      Thu, 6 Dec 2012 19:57:37 +0100
From:      "PayPal" [noreply@paypal.com]
Subject:      Your Paypal.com transaction confirmation.

    Dec 5, 2012 09:50:54 CST

Transaction ID: 8P7D295HFIIIMUC4Q
Hello [redacted],


You done a payment of $894.48 USD to Carol Brewster.

It may take a few moments for this transfer to appear in your transactions history.

Merchant

Carol-Brewster@aol.com

    Instructions to seller

You haven't entered any instructions.
Shipping address - confirmed
Pharetra Street
Manlius NY 74251-6442
United States
    Shipping details
The seller hasn't provided any shipping details yet.
Description     Qty.     Amount
TaylorMade R11 Driver Golf Club

Item# 703099838857     54     $894.48 USD
Shipping and handling     $14.49 USD
Insurance - not offered     ----
Total     $894.48 USD
Payment     $894.48 USD

Payment sent to Carol Brewster    

Receipt ID: H-K01U2WSTLZZMRAB90

Issues with this transaction?
You have 45 days from the date of the purchase to issue a dispute in the Resolution Center.

Please DO NOT reply to this message. auto-notification system can't accept incoming mail. For fast answers to your subjects, visit our Help Center by clicking "Help" located on any PayPal page.

PayPal Email ID P8695

The malicious payload is at [donotclick]ibertomoralles.com/detects/slowly_apply.php hosted on 59.57.247.185 (Xiamen JinLongLvXingChe, China). The following malicious domains also appear to be hosted on the same server:

addon.su
ansncm.org
codemark.net
hfeitu.net
ibertomoralles.com
icobag.com
labpr.com
minevi.com
moid.pl
naky.net
namelesscorn.net
porkystory.net
proscitomash.com
robertokarlosskiy.su
roketlauncherskiy.org
romoviebabenki.ru
securityday.pl
seldomname.com
shopgreatvideonax.com
svictrorymedia.ru
tradenext.net
winterskyserf.ru
ygsecured.ru
zindt.net