Phishers bait their hooks with Storm worm
Starting on 7 January, phishing emails purporting to come from Barclays Bank and the Halifax have been traced by Fortinet to the Storm botnet. The emails are well-crafted, with corporate logos, legally correct business contact details and credible use of language. One version of the Halifax email inspected by heise Security even included the correct Halifax/Bank of Scotland helpdesk phone number.
The "Barclays" email referred to a "periodic review" and contained a link to http://i-barclays.com, but the Halifax mail took a stronger line, stating that an attempt had been made to compromise the recipient's account and stating that the account would be suspended if the recipient did not re-authenticate. The link in that email pointed to http://i-halifax.com. The domains were registered in Russia on 6 and 7 January 2008 respectively, using bogus registrant details with dummy UK contact addresses.
Antivirus vendor F-secure has confirmed that i-halifax.com is a fast flux site, and that the Storm botnet has probably been used for phishing for the first time. However, for the moment this particular campaign seems to have come to an end.