Identity thieves appear to be using part of the Storm botnet to conduct phishing attacks on customers of two UK-based banks, researchers have reported.
Two recent phishing attacks - one aimed at Barclays customers, the other at Bank of Scotland account holders - appear to originate from domains associated with known campaigns designed to build up the Storm botnet (the network of infected PCs).
Fortinet was the first security company to confirm that the Barclays attack came from Storm-controlled machines. In a post on Monday, Fortinet research engineer Derek Manky noted that the phishing emails originated from a Storm fast-flux domain that the botnet had used since the middle of 2007.
In fast-flux, addresses are rapidly registered and de-registered with the address list for either a single DNS (domain name system) server or an entire DNS zone. In both cases, the strategy masks the IP address of the malware site by hiding it behind an ever-changing array of compromised machines acting as proxies. In extreme cases, the addresses change every second.
On Tuesday, after the domain used in the Barclays phish was blocked by a web domain registrar, the botnet switched domains and started sending mail to customers of Halifax, a division of the Bank of Scotland, Manky said. Like the first campaign, the second tried to dupe recipients out of their banking account usernames and passwords.
The Finnish security firm F-Secure connected one of the IP addresses used in the Halifax phish to domains previously used by the Storm botnet, including postcards-2008.com, one of several referenced in New Year's Day greeting spam that began appearing just after Christmas.
"Somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before," said Mikko Hypponen, F-Secure's chief research officer, in a blog yesterday. "But we've been expecting something along these lines."
Paul Ferguson, network architect at Trend Micro, echoed Hypponen in a warning of his own. "We can only suspect that perhaps a portion of the Storm botnet is being rented out to phishers," Ferguson said.
But Joe Stewart, a senior security researcher at SecureWorks, and an expert on Storm, wasn't so sure. Through a spokeswoman, Stewart said that he had seen no hard evidence of the botnet being leased to phishers. In October, Stewart said the Trojan had added encryption to its command and control traffic, and speculated that the move was one way the hackers could partition the army of zombie PCs in preparation for renting pieces to other criminals.
Stewart said he had not found any additional encryption keys used by Storm, which would indicate that a split had occurred.
Storm's one-year anniversary is rapidly approaching; the Trojan was first identified on 17 January 2007 as the malicious payload in a large spam run that used news of severe weather battering Europe, as the bait to get people to open a file attachment.