--- Version 1 --------------------Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate hacked site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie.net/news/tax_refund-caseid7436463593.php?[snip] (example 1, example 2) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).
Date: Fri, 12 Jul 2013 14:35:31 +0300
From: DO.NOT.REPLY@REMINDER.STATE.TX.US.GOV
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=035549412645
For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.
--- Version 2 --------------------
Date: Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From: tax.help@STATE.TX.GOV.US
Subject: TAX Return Reminder
After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.
A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline
Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=488702484517
For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.
Please disregard this reminder if the return has already been submitted.
cpa.state.tx.us.tax-returns.mattwaltererie.net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)
The domain mattwaltererie.net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from).
Marilyn Clark
13578 Calderon Rd
SAN DIEGO, CA 92129
US
Phone: +1.7143435399
Email: tekassis@usa.com
Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
delines.ru
ehnihenransivuennd.net
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
linkedin.com-update-report.taltondark.net
m.krasalco.com
magiklovsterd.net
mattwaltererie.net
nvufvwieg.com
offeringshowt.com
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
taltondark.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com