“Avalanche” Cyber Crime Gang Abuses Domain Name Registrations for Phishing and Malware Attacks
A new report was released by the Anti-Phishing Working Group, rat the Sao Paulo Brazil “Counter Electronic-Crime Operations Summit”.
The report is titled “Global Phishing Survey: Trends and Domain Name Use 2H2009″. It is focused on an analysis of domain name registrar abuse, and how fraudulently registered domain names are used to operate phishing scams as well as malware and crimeware distribution.
In the second half of 2009, the “Avalanche” cyber crime gang appears to have been responsible for two-thirds of all phishing attacks launched in the second half of 2009, and was responsible for the overall increase in phishing attacks recorded across the Internet.
The Avalanche gang appears to be a group, perhaps largely of the same people, that has taken over from the notorious “Rock” phishing gang. The Rock phishers were the most prevalent online crime gang in the 2007-2008 period. They invented technology to automate phishing, spam and malware attacks by coordinating the compromise, operation and cleanup of thousands of servers across the Internet. The Rock phishing gang invented the “Fast Flux” technique of rotating phishing and malware sites across a given domain name, but on hundreds of servers, so that takedown of these sites was extremely difficult, and only having a domain registrar or registry suspend the domain could guarantee a takedown. This made approach effectively defeated blacklisting techniques for protecting users from visiting known phishing and malware distribution sites.
The Avalanche gang appears to have taken the approach to a new level. They continue to use large numbers of domain, and they use subdomain hosting services. But they are now using botnets, running on computers of consumers who do not realize that their computers are infected, and are in fact being used at night time by cyber criminals to perform their evil tasks.
The Avalanche gang is not only using this massive infrastructure for phishing, but they have been also using it to distributed malware and crimeware, notably the Zeus banking trojan.