A number of phishing sites may be using domains previously linked to the Storm worm botnet, according to security firm F-Secure. This comes after a phishing site on Tuesday attempted to dupe online users of the Halifax building society. F-Secure found that the IP address of the sites were changing every second or so, a characteristic of a botnet using a technique called “fast-flux”.
On further investigations, domains hosting the pages turned out to be the compromised domains previously associated with the Storm botnet and infected with variants of the Storm trojan.
“Somebody is now using machines infected with and controlled by Storm to run phishing scams,” wrote chief research officer Mikko Hypponen in a blog post. “We haven’t seen this before.”
Trend Micro, another security company, also reported phishing attacks from the related domains. The company also noted that the Royal Bank of Scotland customers had been targeted. On a blog post, it had detected that the hosts “were watching domain activity normally associated with [the] suspected RBN (Russian Business Network)-associated activities.”
The original Storm worm code, named because it coincided with a severe winter storm in Europe, will reach its first anniversary next week – on 19 January.