Date: Thu, 8 Aug 2013 09:36:19 -0800 [13:36:19 EDT]Doug is quite a feminine looking bloke:
From: Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject: Doug Bernal wants to be friends with you on Facebook.
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
Doug Bernal
Doug Bernal
Hyo Auiles
Gigi Arvay
Hester Brush
Lesa Bueschel
Crawford Eredia
Casey Elting
Delfina Grode
Deandrea Grise
Tori Circle
Austin Chum
Find more pages
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Clicking on the link in the email goes through a legitimate hacked site, and from there onto one of three scripts:
[donotclick]art.impactmt.com/ecology/christmases.js
[donotclick]palka-teleskopowa.pl/puppet/leafed.js
[donotclick]outoftheblueproductions.com/pipelines/tutsi.js
From here, the victim is sent to a malware payload at [donotclick]hubby-wife.com/topic/able_disturb_planning.php which (predictably) a hijacked GoDaddy domain hosted on 72.249.76.197 (Networld Internet Services) along with several other GoDaddy domains which are highlighted below.
Recommended blocklist:
72.249.76.197
art.impactmt.com
palka-teleskopowa.pl
outoftheblueproductions.com
hubby-wife.com
housewalla.com
hubbynwife.com
hubbynwifecakes.com