<<<
Wednesday, January 9, 2008
>>>
 
Phishing from the Storm Botnet Posted by Mikko @ 11:43 GMT

Last night there was a phishing run using the domain i-halifax.com.

i-halifax

The IP address of the site was changing every second or so. The server i-halifax.com was an active fast flux site and was hosted within a botnet.

i-halifax

Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar:

i-halifax

Hmm… hellosanta2008.com… postcards-2008.com? Sounds like Storm.

So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before.

But we've been expecting something along these lines.

From our end-of-year Data Security Wrap-up:

   October brought evidence of Storm variations using unique security keys. The unique keys
   will allow the botnet to be segmented allowing "space for rent". It looks as if the
   Storm gang is preparing to sell access to their botnet.

This may be what's happening now.






<<< First New Year Patch for 2008
|
This blog post contains the words "V6J" and "5C6" >>>