Here's a screenshot of a site that we discovered
back in December, BGI-Funds:
It's of a PHP based Bulletin Board
that's used for money laundering recruitment.
We
searched for the following text taken from the
site:
I'll get right to the point. I have large
amount of funds
At the top of the search results was
a Symantec post (September '07) making the link
between Storm spam and a copy of the phpBB site.
So that pretty much confirmed what we wanted to
know.
Returning to the search today
— the site's still alive — though the
name has changed several times. Submitting a
Google search for
Paid for Receiving Bank Transfers
provides a large number of results.
Most
of the sites are offline; you'll need to view the
cache to see an example.
We located two
sites that are currently active. They're hosted
using fast flux:
Another example:
New forum members have been signing
up at both locations in order to communicate with
the site's Admin (who promises 10%). The
membership list appears to be merged prior to
February of this year. Posts to the forum date
back to the end of 2004. The recycled forum will
apparently survive as long as does the Storm
botnet.
One curious thing about the
membership list… of those that provide
their location, the majority are Canadians. What's
up with that?