Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Two-Thirds Of All Phishing Attacks Generated By A Single Criminal Group, Researchers Say

'Avalanche' syndicate accounted for 66 percent of phishing in the second half of 2009, APWG reports

Like convenience stores and fast-food restaurants, phishing is no longer a mom-and-pop operation, according to a study released today.

A single crime syndicate dubbed "Avalanche" was responsible for some 66 percent of the phishing traffic generated in the second half of 2009, according to a report (PDF) published by the Anti-Phishing Working Group (APWG).

"Avalanche" is the name given to the world's most prolific phishing gang and to the infrastructure it uses to host phishing sites, according to APWG. "This criminal enterprise perfected a system for deploying mass-produced phishing sites, and for distributing malware that gives the gang additional capabilities for theft," the study says.

Avalanche successfully targeted some 40 banks and online service providers, as well as vulnerable or nonresponsive domain name registrars and registries, in the second half of 2009, according to APWG.

Avalanche could be a successor to the "Rock Phish" criminal operation, which became notorious between 2006 and 2008, APWG says.

"The Rock was the first to bring significant scale and automation to phishing," the report states. "The Rock registered domain names regularly and in large numbers, used fast-flux hosting to support its phishing Web sites and extend their uptimes, and usually placed about six discrete phishing attacks on each domain name."

Avalanche was first seen in December 2008, and was responsible for 24 percent of the phishing attacks recorded in the first half of 2009, the study says. "Avalanche uses the Rock's techniques but improves upon them, introducing greater volume and sophistication," it says.

To speed its spread of attacks, Avalanche runs on a botnet and uses fast-flux hosting that makes mitigation efforts more difficult, APWG says. "There is no ISP or hosting provider who has control of the hosting and can take the phishing pages down, and the domain name itself must be suspended by the domain registrar or registry," the report notes.

An Avalanche attack campaign utilizes a set of domain names that appear almost identical to each other (such as 11f1iili.com, 11t1jtiil.com, 11t1kt1il.com, and 11t1kt1pl.com), the report says. These domain name sets are therefore distinctive and recognizable to those who are looking for them.

"When setting up an attack, Avalanche registered domains at one to three registrars or resellers," APWG reports. "The gang often targets a small number of other registrars, testing to see if those registrars notice. If one registrar starts to quickly suspend the domains or implements other security procedures, the criminals simply move on to other vulnerable registrars. One unresponsive or vulnerable registrar can become a gateway for ongoing abuse."

Although Avalanche snowballed in the second half of 2009, its impact has melted significantly this year, the report says.

"Because they were so damaging, prevalent, and recognizable, Avalanche attacks received concentrated attention from the response community," APWG says. "As a result, Avalanche attacks had a much shorter average uptime than non-Avalanche phishing attacks, and community efforts partially neutralized the advantage of the fast-flux hosting. Despite this, the attacks were obviously profitable, and they continued in volume.

"In mid-November 2009, members of the security community affected a temporary shut-down of the Avalanche botnet infrastructure," the report continues. "This lasted about a week before the criminals behind the attacks re-established their network. After this event, Avalanche’s activities changed significantly."

Avalanche domain registrations hit a high in December 2009, but by then Avalanche was hosting fewer and fewer attacks overall, the study says. "By March 2010, Avalanche was hosting only one phishing attack on each domain it registered, and attacks dwindled to just 59 in the month of April 2010."

While it appears that Avalanche might have hit the skids, the report leaves the door open for another, similar attack in the future.

"The old Rock Phish operation became quiescent in the summer of 2008, only to be re-born a few months later as the even worse Avalanche," the report states. "As of this writing, Avalanche has dwindled to a shadow of its former self. Will Avalanche fade for good, or will it too be reborn as something new?"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...