‘Avalanche’ Crimeware Kit Fuels Phishing Attacks

A single cybercrime group called “Avalanche” was responsible for nearly one-quarter of all identity theft-related phishing attacks in the first half of 2009, according to a new report by the Anti-Phishing Work Group (APWG).

A single cybercrime group called “Avalanche” was responsible for nearly one-quarter of all identity theft-related phishing attacks in the first half of 2009, according to a new report by the Anti-Phishing Work Group (APWG).

According to the report, phishing sites on Avalanche domains target the commercial banking platforms of more than 30 financial institutions, major on-line services, and job search providers. 

Social-engineered malware downloads are also being distributed from these same domains.  These attacks involve domain names registered by the phishers, set up on name servers controlled by the phishers, and hosted on a fast-flux network of apparently compromised consumer-level machines.  This fast-flux hosting makes mitigation efforts more difficult — calling the Internet Service Provider to get a site or IP blocked is not effective, and the domain name itself must be suspended at the registrar or registry level.  

The APWG said the Avalanche phishing kit accounted for a whopping 24% (13,334) of all phishing attacks seen during 1H 2009.   However, since each domain is used to mount up to 30 attacks, this only represents about 8% of all domains used for phishing, the group said. 

Here’s the nitty gritty from the report on how Avalanche works:

An Avalanche attack campaign consists of many domain names that appear almost  identical to each other (such as 11fjfhi.com, 11fjfhj.com, 11fjfh1.com, and 11fjfhl.com).  These domain name groupings are therefore distinctive and recognizable to those who are looking for them.  While only one or two brands are typically spammed at any one time during an Avalanche attack, the miscreants rotate back to older targets frequently.  If an Avalanche domain remains active over a long period of time, spam for other targets may be sent using it.
 
When setting up an attack, the Avalanche registers domains at one to three registrars or resellers.  They also target a small number of other registrars, testing to see if the registrar notices the registrations.  If one registrar starts to quickly suspend the domains or implements other security procedures, Avalanche simply moves on to other vulnerable registrars.   The phishers also employ additional tricks.  For one batch of domain registrations, they chose a registrar located in a small country, and used credit card number stolen from consumers in that country in an attempt to avoid notice.  
 
Avalanche does the same with top-level domains, registering in TLDs where the registry operator may not be an active or effective participant in mitigation efforts.  

The APWG said Avalanche attacks increased significantly into the third quarter of the year, and preliminary numbers indicate a possible doubling of attacks in the summer of 2009.

* Read the full report [PDF from apwg.org]

Suggested articles