NEWS FROM THE LAB - Wednesday, January 9, 2008

Phishing from the Storm Botnet Posted by Mikko @ 11:43 GMT

Last night there was a phishing run using the domain i-halifax.com.


The IP address of the site was changing every second or so. The server i-halifax.com was an active fast flux site and was hosted within a botnet.


Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar:


Hmm… hellosanta2008.com… postcards-2008.com? Sounds like Storm.

So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before.

But we've been expecting something along these lines.

From our end-of-year Data Security Wrap-up:

   October brought evidence of Storm variations using unique security keys. The unique keys
   will allow the botnet to be segmented allowing "space for rent". It looks as if the
   Storm gang is preparing to sell access to their botnet.

This may be what's happening now.