Date: Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From: Facebook [[email protected]]
Subject: You requested a new Facebook password
You recently asked to reset your Facebook password.
Click here to change your password.
Didn’t request this change?
If you didn’t request a new password, let us know immediately.
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate hacked site and then through one or both of these following scripts:
The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 18.104.22.168 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.
Leave a reply