1. [...] used in a previously profiled malicious campaign impersonating Intuit – “‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit“, where the client-side exploit-serving URL ( was also registered with the [...]

  2. [...] The various malicious domains used in the campaign responded to the same set of IP addresses. You can find a list of the malicious URLs in Danchev’s write-up. [...]