A New Storm Twist: Phishing

January 8th, 2008 by Paul Ferguson (Advanced Threats Researcher)

Click for larger image

It should not be news to you that we do an extraordinary amount of work keeping track of domains, correlating domain information — both old and new — to previously identified IP host addresses and known “bad actors”.

This is part of our ongoing efforts in the area of determining domain reputation — to identify and flag suspicious behavior in such a way as to provide an early warning system for identifying potential web threats.

Having said that, several domains which where only registered yesterday “popped up” on our internal early warning systems overnight, and surprisingly enough, we started seeing these hosts serving up phishing pages (partial screenshot of Royal Bank of Scotland phish above) today.

Another interesting aspect of this turn of events is that these hosts are part of the Storm fast-flux botnet, and we detected them while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities.

We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers, but it is interesting to see this criminal progression as Storm “celebrates” being a year-old this month.

We’ve identified several of these phishing domains and block them, and will continue to identify them as they pop up and block them, as well.

Paul “Fergie” Ferguson
Internet Security Intelligence
Advanced Threats Research