Avalanche (phishing group)
Encyclopedia
Avalanche is a criminal syndicate involved in phishing
attacks. In 2010, the Anti-Phishing Working Group
(APWG) reported that Avalanche had been responsible for two-thirds of all phishing attacks in the second half of 2009, describing it as "one of the most sophisticated and damaging on the Internet" and "the world's most prolific phishing gang". The name "Avalanche" also refers to the network of websites and systems which the gang uses to carry out its attacks.
Avalanche was discovered in December 2008, and may be a replacement for a successful phishing group known as Rock Phish which stopped operating in 2008. It is believed to be run from Eastern Europe
and was given its name by security researchers because of the high volume of its attacks. Avalanche launched 24% of phishing attacks in the first half of 2009; in the second half of 2009, the APWG recorded 84,250 attacks by Avalanche, constituting 66% of all phishing attacks. The number of total phishing attacks more than doubled, an increase which the APWG directly attributes to Avalanche.
Avalanche uses spam email
purporting to come from trusted organisations such as financial institutions or employment websites. Victims are deceived into entering personal information on websites made to appear as though they belong to these organisations. Victims may also be asked to install software by email or at the websites. The software is malware
which can log keystrokes
, steal passwords and credit card information, and allow unauthorised remote access
to the infected computer. Internet Identity
's Phishing Trends report for the second quarter of 2009 said that Avalanche "have detailed knowledge of commercial banking platforms, particularly treasury management systems and the Automated Clearing House
(ACH) system. They are also performing successful real-time man-in-the-middle attack
s that defeat two-factor security tokens."
Avalanche has many similarities to the previous group Rock Phish - the first phishing group which used automated techniques - but has been described as greater in scale and volume. One of the techniques Avalanche uses is to host its domains on compromised computers which are part of a botnet
. There is no hosting provider
, so it is difficult to take down the domain, requiring the involvement of the responsible domain registrar. In addition, Avalanche uses fast-flux DNS
, causing the compromised machines to change constantly. Avalanche attacks also spread the Zeus
trojan horse
enabling further criminal activity. The majority of domains which Avalanche uses belonged to national domain name registrar
s in Europe and Asia. This differs from other phishing attacks, where the majority of domains use U.S. registrars. It appears that Avalanche chooses registrars based on their security procedures, returning repeatedly to registrars which do not detect domains being used for fraud, or which were slow to suspend abusive domains. Avalanche frequently registers domains with between one and three registrars, while testing others to check whether their distinctive domains are being detected and blocked. They target a small number of brands (such as specific financial institutions) at a time, but rotate these regularly. A domain which is not suspended by a registrar is often re-used in a later attack. The group has created a phishing "kit", which is pre-prepared for use with many brands.
Avalanche has attracted significant attention from security organisations; as a result, the uptime
of the domain name
s it uses is half that of other phishing domains. In October 2009, ICANN
, the organisation which manages the assignment of domain names, issued a Situation Awareness Note encouraging registrars to be pro-active in dealing with Avalanche attacks. The UK registry, Nominet has changed its procedures to make it easier to suspend domains, because of attacks by Avalanche. Interdomain, a Spanish registrar, began requiring a confirmation code delivered by mobile phone
in April 2009 which successfully forced Avalanche to stop registering fraudulent domains with them. In November 2009, security companies managed to shut down the Avalanche botnet for a short time; after this Avalanche reduced the scale of its activities and altered its modus operandi
. By April 2010, attacks by Avalanche had decreased to just 59 from a high of more than 26,000 in October 2009, raising concerns that a more damaging successor may be on the way.
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
attacks. In 2010, the Anti-Phishing Working Group
Anti-Phishing Working Group
The Anti-Phishing Working Group is an international consortium that brings together businesses affected by phishing attacks, security products and services companies, law enforcement agencies, government agencies, trade association, regional international treaty organizations and communications...
(APWG) reported that Avalanche had been responsible for two-thirds of all phishing attacks in the second half of 2009, describing it as "one of the most sophisticated and damaging on the Internet" and "the world's most prolific phishing gang". The name "Avalanche" also refers to the network of websites and systems which the gang uses to carry out its attacks.
Avalanche was discovered in December 2008, and may be a replacement for a successful phishing group known as Rock Phish which stopped operating in 2008. It is believed to be run from Eastern Europe
Eastern Europe
Eastern Europe is the eastern part of Europe. The term has widely disparate geopolitical, geographical, cultural and socioeconomic readings, which makes it highly context-dependent and even volatile, and there are "almost as many definitions of Eastern Europe as there are scholars of the region"...
and was given its name by security researchers because of the high volume of its attacks. Avalanche launched 24% of phishing attacks in the first half of 2009; in the second half of 2009, the APWG recorded 84,250 attacks by Avalanche, constituting 66% of all phishing attacks. The number of total phishing attacks more than doubled, an increase which the APWG directly attributes to Avalanche.
Avalanche uses spam email
E-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
purporting to come from trusted organisations such as financial institutions or employment websites. Victims are deceived into entering personal information on websites made to appear as though they belong to these organisations. Victims may also be asked to install software by email or at the websites. The software is malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
which can log keystrokes
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
, steal passwords and credit card information, and allow unauthorised remote access
Remote access
In telecommunication, the term remote access has the following meanings:#Pertaining to communication with a data processing facility from a remote location or facility through a data link...
to the infected computer. Internet Identity
Internet Identity
For other uses, see Internet identityInternet Identity, currently referred to as IID, is a privately held Internet security company based in Tacoma, Washington. It primarily provides anti-phishing, malware and domain control security services to financial service firms, e-commerce, social...
's Phishing Trends report for the second quarter of 2009 said that Avalanche "have detailed knowledge of commercial banking platforms, particularly treasury management systems and the Automated Clearing House
Automated Clearing House
Automated Clearing House is an electronic network for financial transactions in the United States. ACH processes large volumes of credit and debit transactions in batches. ACH credit transfers include direct deposit payroll and vendor payments. ACH direct debit transfers include consumer payments...
(ACH) system. They are also performing successful real-time man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
s that defeat two-factor security tokens."
Avalanche has many similarities to the previous group Rock Phish - the first phishing group which used automated techniques - but has been described as greater in scale and volume. One of the techniques Avalanche uses is to host its domains on compromised computers which are part of a botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
. There is no hosting provider
Internet hosting service
An Internet hosting service is a service that runs Internet servers, allowing organizations and individuals to serve content to the Internet. There are various levels of service and various kinds of services offered....
, so it is difficult to take down the domain, requiring the involvement of the responsible domain registrar. In addition, Avalanche uses fast-flux DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
, causing the compromised machines to change constantly. Avalanche attacks also spread the Zeus
Zeus (trojan horse)
Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became...
trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
enabling further criminal activity. The majority of domains which Avalanche uses belonged to national domain name registrar
Domain name registrar
A domain name registrar is an organization or commercial entity, accredited by both ICANN and generic top-level domain registry to sell gTLDs and/or by a country code top-level domain registry to sell ccTLDs; to manage the reservation of Internet domain names in accordance with the guidelines of...
s in Europe and Asia. This differs from other phishing attacks, where the majority of domains use U.S. registrars. It appears that Avalanche chooses registrars based on their security procedures, returning repeatedly to registrars which do not detect domains being used for fraud, or which were slow to suspend abusive domains. Avalanche frequently registers domains with between one and three registrars, while testing others to check whether their distinctive domains are being detected and blocked. They target a small number of brands (such as specific financial institutions) at a time, but rotate these regularly. A domain which is not suspended by a registrar is often re-used in a later attack. The group has created a phishing "kit", which is pre-prepared for use with many brands.
Avalanche has attracted significant attention from security organisations; as a result, the uptime
Uptime
Uptime is a measure of the time a machine has been up without any downtime.It is often used as a measure of computer operating system reliability or stability, in that this time represents the time a computer can be left unattended without crashing, or needing to be rebooted for administrative or...
of the domain name
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
s it uses is half that of other phishing domains. In October 2009, ICANN
ICANN
The Internet Corporation for Assigned Names and Numbers is a non-profit corporation headquartered in Marina del Rey, California, United States, that was created on September 18, 1998, and incorporated on September 30, 1998 to oversee a number of Internet-related tasks previously performed directly...
, the organisation which manages the assignment of domain names, issued a Situation Awareness Note encouraging registrars to be pro-active in dealing with Avalanche attacks. The UK registry, Nominet has changed its procedures to make it easier to suspend domains, because of attacks by Avalanche. Interdomain, a Spanish registrar, began requiring a confirmation code delivered by mobile phone
Mobile phone
A mobile phone is a device which can make and receive telephone calls over a radio link whilst moving around a wide geographic area. It does so by connecting to a cellular network provided by a mobile network operator...
in April 2009 which successfully forced Avalanche to stop registering fraudulent domains with them. In November 2009, security companies managed to shut down the Avalanche botnet for a short time; after this Avalanche reduced the scale of its activities and altered its modus operandi
Modus operandi
Modus operandi is a Latin phrase, approximately translated as "mode of operation". The term is used to describe someone's habits or manner of working, their method of operating or functioning...
. By April 2010, attacks by Avalanche had decreased to just 59 from a high of more than 26,000 in October 2009, raising concerns that a more damaging successor may be on the way.