A single group named ‘Avalanche' was responsible for two-thirds of all phishing attacks in the second half of 2009.
According to an Anti-Phishing Working Group (APWG) survey, ‘by mid-2009, phishing was dominated by one player', which it called ‘one of the most sophisticated and damaging on the internet, and perfected a mass-production system for deploying phishing sites and malware designed specifically to automate identity theft and facilitate unauthorised transactions from consumer bank accounts'.
Authored by Greg Aaron from Afilias and Rod Rasmussen from Internet Identity, the survey claimed that Avalanche ‘perfected a system for deploying mass-produced phishing sites, and for distributing malware that gives the gang additional capabilities for theft'.
During that time, it targeted the more than 40 major financial institutions, online services and job search providers. The sheer volume of Avalanche attacks dominated some of the metrics, which makes it difficult or less useful to compare some metrics over time. Avalanche also changed significantly in late 2009, launching far fewer attacks. Avalanche's activities therefore deserve special examination.
The first detections were made in December 2008, and it began by using techniques inspired by the ‘Rock Phish' criminal operation but improved upon them, introducing greater volume and sophistication.
The survey said: “Avalanche domains are hosted on a botnet comprising consumer-level computers. This ‘fast-flux' hosting makes mitigation efforts more difficult – there is no ISP or hosting provider who has control of the hosting and can take the phishing pages down, and the domain name itself must be suspended by the domain registrar or registry.”
APWG said that in the second half of 2009, a typical Avalanche domain often hosted around 40 separate attacks at a time, and if an Avalanche domain remained active over a long period of time, the gang sometimes placed new phish on that domain and advertised the new target via spam.
The group also claimed that several registries and registrars around the world updated their anti-abuse procedures because of voluminous Avalanche attacks. The .UK registry Nominet instituted an outreach program to registrars, while the Honduran (.HN) domain registry was alerted as attacks hosted on .HN domains ramped up in July 2009. The Isle of Man (.IM) registry also worked effectively and is willing to suspended malicious registrations, and .IM has been touched by Avalanche only intermittently.
The report claimed: “Because they were so damaging, prevalent and recognisable, Avalanche attacks received concentrated attention from the response community. During an Avalanche campaign, it was not unusual for the target institutions, the relevant domain name registrar(s), a domain name registry, and other responders and service providers to all be aware of the campaign and working on mitigation at the same time.
“As a result, Avalanche attacks had a much shorter average uptime than non-Avalanche phishing attacks, and community efforts partially neutralised the advantage of the fast-flux hosting. Despite this, the attacks were obviously profitable, and they continued in volume.”
The Avalanche botnet infrastructure was temporarily shut down in mid-November 2009 by members of the security community. This lasted about a week before the criminals behind the attacks re-established their network and after this event, Avalanche's activities changed significantly.
It also found that in the second half of 2009, the average uptime of all phishing attacks continued to drop from previous periods with non-Avalanche phishes staying up noticeably longer in than in the first half of 2009.
Also, phishing remained highly concentrated in certain namespaces, with 76 per cent of the attacks occurring in only four domains - .COM, .EU, .NET, and .UK. Five domains - .BE, .COM, .EU, .NET and .UK were used for 88 per cent of malicious domain registrations.
Aaron and Rasmussen said in conclusion: “In the second half of 2009, Avalanche cast a shadow over the landscape. While Avalanche launched a record number of attacks, responders took significant bites out of Avalanche's uptimes. The decreasing Avalanche uptimes showed that the domain name registration community responded with an increasing effectiveness.
“Some registrars and registries remained ineffective, though, and after failing to mount quick defences became victimised on a continuing basis. Avalanche's infrastructure was temporarily disabled late in 2009, and the phishers behind it changed their tactics and launched decreasing numbers of attacks through April 2010. We will continue to monitor this situation with interest.”