Click for larger image
It should not be news to you that we do an extraordinary amount of work keeping track of domains, correlating domain information — both old and new — to previously identified IP host addresses and known “bad actors”.
This is part of our ongoing efforts in the area of determining domain reputation — to identify and flag suspicious behavior in such a way as to provide an early warning system for identifying potential web threats.
Having said that, several domains which where only registered yesterday “popped up” on our internal early warning systems overnight, and surprisingly enough, we started seeing these hosts serving up phishing pages (partial screenshot of Royal Bank of Scotland phish above) today.
Another interesting aspect of this turn of events is that these hosts are part of the Storm fast-flux botnet, and we detected them while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities.
We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers, but it is interesting to see this criminal progression as Storm “celebrates” being a year-old this month.
We’ve identified several of these phishing domains and block them, and will continue to identify them as they pop up and block them, as well.
Paul “Fergie” Ferguson
Internet Security Intelligence
Advanced Threats Research
January 10th, 2008 at 7:47 am
[...] see Trend Micro’s take and Techmeme for more [...]
January 10th, 2008 at 8:13 am
[...] “The issue becomes how do you work to take it down and find the perpetrators,” said Ferguson, who had wrote the incident up on Trend Micro’s Malware Blog. [...]
January 11th, 2008 at 12:40 am
[...] domains. The company also noted that the Royal Bank of Scotland customers had been targeted. On a blog post, it had detected that the hosts “were watching domain activity normally associated with [the] [...]