QUOTE: Last night there was a phishing run. The IP address of the site was changing every second or so. The server was an active fast flux site and was hosted within a botnet. Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar (e.g., hellosanta2008 and postcards-2008).
This sounds like Storm. So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before. October brought evidence of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing "space for rent". It looks as if the Storm gang is preparing tosell access to their botnet.