The link on the email resolved to "http://www.backrite.com/cw3/assets/product_small/Westpac.com.au/Westpac/index.htm", I very crude attempt I thought, the least they could have done was attempt to get a domain that at least appears slightly legitimate or use a URL shortening service at least.
I fired up my debuggig VM and opened up Firefox and pasted the URL in, the site appeared to be down. This was going to be quicker than I thought. Next I examined the e-mail headers and found a number of interesting things;
iX-Apparently-To: email@example.com via 18.104.22.168; Mon, 12 Sep 2011 17:35:43 -0700
Received-SPF: none (domain of server22.01domain.net does not designate permitted sender hosts)
Authentication-Results: mail.me.com from=westpac.com.au; domainkeys=neutral (no sig); from=westpac.com.au; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO server22.01domain.net) (22.214.171.124)
by mail.me.com with SMTP; Mon, 12 Sep 2011 17:35:42 -0700
Received: from nobody by server22.01domain.net with local (Exim 4.69)
for firstname.lastname@example.org; Mon, 12 Sep 2011 20:35:40 -0400
Subject: [Bulk] Westpac Notice
X-PHP-Script: proteinat.com/store/images/tmp/z.php for 126.96.36.199
Date: Mon, 12 Sep 2011 20:35:40 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server22.01domain.net
X-AntiAbuse: Original Domain - me.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - server22.01domain.net
Firstly, the originating IP did not match the server in the URL. Next the X-PHP-Script header gave an interesting clue, a copy and paste revealed another downed script, but this time the response from the server was more promising, a quick fuzz and I found "http://proteinat.com/store/images/cookie_load.php"
Which is a PHP shell called Web Shell by oRb or WSO. The running version was 2.5 which was released in June of 2011. The attacker must have exploited PHP and uploaded the file. The PHP shell allows for a console which is useful for work, e.g. creating a backdoor, as well as running exploits to escalate privileges to get root access. I have not had the chance to investigate further, but it would be interesting to determine how the hacker got in in the first place.