Phishers now leasing the Storm worm botnet

Domains of several new phishing sites are cropping up with known Storm worm domains. F-Secure researchers think phishers are leasing parts of the larger botnet.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Jan. 10, 2008 9:45 a.m. PT

A number of phishing sites have cropped up within the last day using domains previously attributed to the Storm worm botnet. Last fall, Storm was used in a series of pump-and-dump stock spam blasts, including a unique MP3-based spam blast, but researchers at F-Secure don't think the original authors of Storm are necessarily trying something new. F-Secure said Tuesday that "October brought evidence of Storm variations using unique security keys. The unique keys...allow the botnet to be segmented allowing 'space for rent.'" They think phishers are leasing parts of the larger botnet.

F-Secure cites a Halifax bank as one of the phishing targets, while Trend Micro identifies the Royal Bank of Scotland as another. What connects these sites are the server domains hosting the pages. Trend Micro said Tuesday it detected the hosts "while watching domain activity normally associated with suspected RBN (Russian Business Network) -associated activities."

The original Storm worm code, so named because it coincided with a severe winter storm in Europe, will celebrate its first anniversary next week, on or around January 19.