The Storm Trojan and related botnets have become so huge and prolific in its social engineering tricks that it’s almost becoming easy to overlook some of what it is up to. The file on this one is getting so thick it’s getting harder to keep up with each new page.
But here’s something that stands out: Evidence that Storm’s controllers are now using it for phishing attacks.
Mikko Hypponen has written an analysis on it in the F-Secure blog complete with screen shots. He writes about detecting a phishing run using the domain i-halifax.com, in which the IP address of the site was changing every second or so. The server i-halifax.com was an active fast flux site and was hosted within a botnet, he says.
“Somebody is now using machines infected with and controlled by Storm to run phishing scams,” he says. “We haven’t seen this before, but we’ve been expecting something along these lines.”
Here’s one of the screen shots from the F-Secure blog: