Here's a screenshot of a site that we discovered back in December, BGI-Funds:
It's of a PHP based Bulletin Board that's used for money laundering recruitment.
We searched for the following text taken from the site:
I'll get right to the point. I have large amount of funds
At the top of the search results was a Symantec post (September '07) making the link between Storm spam and a copy of the phpBB site. So that pretty much confirmed what we wanted to know.
Returning to the search today — the site's still alive — though the name has changed several times. Submitting a Google search for Paid for Receiving Bank Transfers provides a large number of results.
Most of the sites are offline; you'll need to view the cache to see an example.
We located two sites that are currently active. They're hosted using fast flux:
Another example:
New forum members have been signing up at both locations in order to communicate with the site's Admin (who promises 10%). The membership list appears to be merged prior to February of this year. Posts to the forum date back to the end of 2004. The recycled forum will apparently survive as long as does the Storm botnet.
One curious thing about the membership list… of those that provide their location, the majority are Canadians. What's up with that?
