"Avalanche" phishing slowing, after big 2009

A single crime syndicate dominated the phishing scene last year, but the outfit appears to be slowing down in 2010, a new report concludes.

The Eastern European-based ring, dubbed 'Avalanche', was responsible for roughly two-thirds of all phishing attacks launched in the second half of last year, according to a study released by the nonprofit Anti-Phishing Working Group (APWG). That is up significantly from the first half of 2009, when Avalanche blamed for a quarter of all phishes.

Specifically during the second half of last year, Avalanche accounted for 84,250 of 126,597 total phishing attacks, the report said. The 126,597 number was more than double the amount of phishing attacks recorded during the first half of 2009.

In Avalanche's case, victimised brands included some 40 financial services companies and online service and job search providers.

Aside from phishing, Avalanche also has been responsible for delivering emails containing links pointing to the dangerous Zeus data-stealing trojan.

What has made the group so successful is its advanced infrastructure, and most agree Avalanche is a successor to the Rock Phish ring, considered the first syndicate to automate phishing, said Rod Rasmussen, founder and CTO of security firm Internet Identity and co-author of the report.

Avalanche hosts its domains on a botnet consisting of compromised PCs and uses fast-flux techniques to hide the host server, he said.

"It's very simple for them to set up new attacks when someone takes down the old domains," Rasmussen told SCMagazineUS.com.

And there is little anyone can do, aside from the domain registrars and registries.

"Because Avalanche is running its own hosting, the only way to stop it is to suspend domain names," Greg Aaron, director of domain security at Afilias, registry operator for the .info top-level domain told SCMagazineUS.com.

But after a year of attacks courtesy of Avalanche, the targeted parties got wise, according to the report.

"Because they were so damaging, prevalent, and recognisable, Avalanche attacks received concentrated attention from the response community," the APWG report said. "During an Avalanche campaign, it was not unusual for the target institutions, the relevant domain name registrar(s), a domain name registry, and other responders and service providers to all be aware of the campaign and working on mitigation at the same time. As a result, Avalanche attacks had a much shorter average uptime than non-Avalanche phishing attacks, and community efforts partially neutralised the advantage of the fast-flux hosting. Despite this, the attacks were obviously profitable, and they continued in volume."

A weeklong disabling of the Avalanche botnet at the hands of the security community prompted Avalanche operators to significantly shift their strategy, beginning last November, the report said.

This has resulted in far fewer attacks. In April, the syndicate was responsible for 59 attacks, compared to 924 in October.

There is no way to tell if Avalanche is done for good, or if the drop-off is just a temporary lull, experts said. However, its operations surely will spur on copycats.

"What these guys have done is shown other people how to do things that are effective," Rasmussen said.

See original article on scmagazineus.com