2008-01-08

« October 2007 · April 2008 · March 2010 »

Calendar:

• 29.02.2008: ISO4 Conference - Sunnyvale California, United States
• 20.02.2008: NSP-SEC Summit - San Jose California, United States
• 18.02.2008: Gambling Websites Under Attack
• 10.02.2008: Storm Worm Valentine's Day Update
• 09.02.2008: Inbot08 Conference - Aachen, Germany
• 30.01.2008: Citigroup BITS - New York, United States
• 28.01.2008: Storm Worm & Stock Spam - The Never Ending Bag of Tricks
• 09.01.2008: Storm Worm Domains Offline
• 08.01.2008: See below.
• 07.01.2008: Storm Worm and Stock Spam
• 06.01.2008: RBN as RBusiness Network AS40898 - Clarifying the guesswork of Criminal Activity
• 02.01.2008: Happy New Year to All!
• 19.12.2007: MSISAC National Webcast - Albany New York, United States

Tuesday, 8 January 2008

Storm goes phishing?

Today Shadowserver picked up a new name being used by the Storm worm: i-barclays.com. Obviously, this site can be (and evidently has been) used for phishing. This is a new twist for whoever is behind Storm, as we've not seen them try the phishing angle. All Storm nodes capable of serving up any of the Holiday ecards can also serve as phishing sites.

It should be pointed out that the registrar, nic.ru, has not pulled any of the original Holiday ecard domains. There is little reason to believe that they will pull new phishing domains with any reasonable speed. The Storm group stands to be the new owners of thousands of accounts, both with Barclays and Halifax (the other domain currently in use is i-halifax.com). Barclays is returning a 403 error from storm nodes at the moment, but the Halifax phish is live.

Others have seen similar behavior:
PhishTank has screenshots of the phish itself
SCMagazineUS.com reported on a finding by Fortinet.

i-barclays.com has shown up before as a known phishing domain, but someone didn't get the memo when the Storm group re-registered it.

=>Posted January 08, 2008, at 09:42 AM by Mike Johnson