FortiGuard Advisory (FGA-2008-02)
Storm Worm Botnet Sending Barclays Phishing E-Mails As of writing, the phishing run is targeting Barclays customers. All of the emails have a similar body (see sample on Figure 1 below), and display a typical social engineering speech directed towards users who have a moderate level of awareness. These users are ones who may have heard online banking is subject to some fraudulent computer attacks, but cannot identify one. Phishers often use this social engineering approach for 3 reasons: 1. A security check is a good pretext to ask people to log in to their account 2. The "fear factor" carried by a a security check is a strong incentive for people to actually carry forward 3. Users may feel that since it is a security check, it cannot be an attack the email is referring to  Figure 1: Barclays Phishing Attempt Interestingly, the social engineering hook in the email has existed for quite some time, as outlined four years ago in a report dated January 9, 2004 from Netcraft. This indicates that the current material has most likely been dug up from an old phishing kit. The phishing site is hosted on a fast flux domain (a robust network structure which Storm has been using since mid-2007; see our Canadian Pharmacy analysis for more information on fast flux networks). The registrar has been notified, the URL has been blacklisted on Fortinet's Webfiltering Service, and a pattern designed to block the phishing emails is included in Fortinet's AV definitions 8.598. UPDATES: As of 16:00 January 7, 2008 the notified registrar appears to have taken action as the fraudulent Barclays domain in question (linked to by the phishing emails) no longer responds to queries. As of January 8, 2008 new emails emanating from the Storm botnet have been observed by the Fortinet Global Security Research Team which use the same social and domain engineering, however target a different bank: Halifax. This is a precursor that other banks may be targeted as well. As of writing, the fraudulent Halifax fast flux domain is still alive; the registrar has once again been notified. Figure 2 below demonstrates a sample of this variant:  Figure 2: Halifax Phishing Attempt Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. |
