Application security, Threat Management, Incident Response, Malware, Phishing, TDR

Storm botnet used to mount phishing attacks on banks

The Fortinet Global Security Research team has detected two phishing attacks on major banks that were mounted using the Storm Worm botnet, said to be the first attack on the financial sector by Storm's huge network of zombie computers.

The attackers first targeted Barclays bank, and then shut down their bogus Barclays phishing site upon detection by Fortinet and mounted a new attack on Halifax Bank customers, Fortinet Threat Response Team manager Guillaume Lovet told today.

The phishing emails sent out in the first attack linked to a bogus site hosted by a domain registered in Russia, Lovet said. Thousands of messages were sent out in a general mailing aimed at snaring bank customers, he said.

In each attack, recipients opened an official-looking email informing them that the bank was undertaking a "periodic review" of its customer accounts "in order to reduce the instances of fraud on our website." The recipients were instructed to click on a link purporting to be to the bank's website to verify their account information, but were instead directed to phishing sites that attempted to mine their account log-in and password information.

A particularly disturbing aspect of the bank phishing attacks, Lovet said, was that they each made use of "old phishing kits" first seen more than three years ago. According to Lovet, this could be an indication that the attacks were initiated by "amateurs" who acquired access to the Storm botnet.

"These were not skilled hackers," Lovet said. "They used an old kit and didn't even bother to modify it."

Last month, Cisco warned that the creators of the Storm trojan and botnet might be preparing to sub-let it to cybercriminals for phishing attacks.

Lovet said the fake bank emails were snared in honeypots that Fortinet uses to monitor new phishing expeditions. The response team leader said the attackers did not appear to be using targeted lists of bank customers.

"It really was a shot in the dark," he said, adding that the attackers were likely planning to sell the customers' account credentials to other criminals.

Lovet urged banks to provide tutorials to all new customers warning them about phishing before their accounts are activated. He also said that the implementation of regularly changed confirmation messages to be received by customers when they log into their accounts could help limit the damage from phishing activities.

According to the SANS Internet Storm Center, infected machines recently sent out Christmas- and New Year's-themed messages designed to expose recipients to variations of the Storm trojan. 

The Storm trojan has proven to be a shape-shifting chameleon, able to lay dormant for weeks only to return in a new format. It has been delivered to users' inboxes in everything from URLs to ZIP or MP3 attachments and digital greeting cards.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.