Application security, Threat Management, Incident Response, Malware, Phishing, TDR

Storm makes house calls: Messages lead to bogus med sites

The notorious Storm worm botnet, which has mounted phishing attacks on major banks and spawned several waves of holiday-themed messages in recent weeks, has now changed tactics and is generating spam that directs recipients to bogus medical sites, Websense has warned.


A Websense Security Lab blog posting on Tuesday reported that new messages being generated by Storm's army of zombie computers contain links that are infected at the root level (such as https://IP address), which enables medical spam sites linked to the messages to evade spam filters.


The Websense blog posted samples of the new Storm messages, which are formatted with an IP address and a short random directory name, with subject lines including, “You won't spend too much for these meds!” A link contained in the message sends the recipient to a bogus professional-looking medical site called “Canadian Pharmacy, #1 Internet Online Drugstore.”


Earlier this month, the Storm worm trojan continued its holiday-themed onslaught – first seen in fake Christmas and New Year's messages – with a massive wave of “love” notes that attempt to deliver malicious code to a recipient's PC.


According to Sophos, the body of each love message directed the recipient to an IP address-based site hosted on the Storm botnet and infused with JavaScript code that attempts to hide the link to malware binary from automated crawlers.


Researchers at Sopho said the Valentine-inspired attack metastasized this month to the point where it was making up almost eight percent of overall email traffic.


The Valentine-themed email blitz came on the heels of two phishing attacks on major international banks that are believed to have been mounted using the Storm botnet, the first such assault on the financial sector emanating from the Storm network, which many researchers believe originated in Russia.


The Fortinet Global Security Research team reported that attackers first targeted Barclays bank, and then shut down their bogus Barclays phishing site on detection by Fortinet and mounted a new attack on Halifax Bank customers, according to Guillaume Lovet, Fortinet Threat Response Team manager.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.