Avalanche (phishing group)

Avalanche (commonly known as the Avalanche Gang) is a criminal syndicate involved in phishing attacks. In 2010, the Anti-Phishing Working Group (APWG) reported that Avalanche had been responsible for two-thirds of all phishing attacks in the second half of 2009, describing it as "one of the most sophisticated and damaging on the Internet" and "the world's most prolific phishing gang".^[1] The name "Avalanche" also refers to the network of websites and systems which the gang uses to carry out its attacks.

Avalanche was discovered in December 2008, and may be a replacement for a successful phishing group known as Rock Phish which stopped operating in 2008.^[2] It is believed to be run from Eastern Europe and was given its name by security researchers because of the high volume of its attacks.^[3]^[4] Avalanche launched 24% of phishing attacks in the first half of 2009; in the second half of 2009, the APWG recorded 84,250 attacks by Avalanche, constituting 66% of all phishing attacks. The number of total phishing attacks more than doubled, an increase which the APWG directly attributes to Avalanche.^[1]

Avalanche uses spam email purporting to come from trusted organisations such as financial institutions or employment websites. Victims are deceived into entering personal information on websites made to appear as though they belong to these organisations. Victims may also be asked to install software by email or at the websites. The software is malware which can log keystrokes, steal passwords and credit card information, and allow unauthorised remote access to the infected computer. Internet Identity's Phishing Trends report for the second quarter of 2009 said that Avalanche "have detailed knowledge of commercial banking platforms, particularly treasury management systems and the Automated Clearing House (ACH) system. They are also performing successful real-time man-in-the-middle attacks that defeat two-factor security tokens."^[5]

Avalanche has many similarities to the previous group Rock Phish - the first phishing group which used automated techniques - but has been described as greater in scale and volume.^[6] One of the techniques Avalanche uses is to host its domains on compromised computers which are part of a botnet. There is no hosting provider, so it is difficult to take down the domain, requiring the involvement of the responsible domain registrar. In addition, Avalanche uses fast-flux DNS, causing the compromised machines to change constantly. Avalanche attacks also spread the Zeus trojan horse enabling further criminal activity. The majority of domains which Avalanche uses belonged to national domain name registrars in Europe and Asia. This differs from other phishing attacks, where the majority of domains use U.S. registrars. It appears that Avalanche chooses registrars based on their security procedures, returning repeatedly to registrars which do not detect domains being used for fraud, or which were slow to suspend abusive domains.^[5]^[7] Avalanche frequently registers domains with between one and three registrars, while testing others to check whether their distinctive domains are being detected and blocked. They target a small number of brands (such as specific financial institutions) at a time, but rotate these regularly. A domain which is not suspended by a registrar is often re-used in a later attack. The group has created a phishing "kit", which is pre-prepared for use with many brands.^[5]^[8]

Avalanche has attracted significant attention from security organisations; as a result, the uptime of the domain names it uses is half that of other phishing domains.^[1] In October 2009, ICANN, the organisation which manages the assignment of domain names, issued a Situation Awareness Note encouraging registrars to be pro-active in dealing with Avalanche attacks.^[9] The UK registry, Nominet has changed its procedures to make it easier to suspend domains, because of attacks by Avalanche.^[1] Interdomain, a Spanish registrar, began requiring a confirmation code delivered by mobile phone in April 2009 which successfully forced Avalanche to stop registering fraudulent domains with them.^[5] In November 2009, security companies managed to shut down the Avalanche botnet for a short time; after this Avalanche reduced the scale of its activities and altered its modus operandi. By April 2010, attacks by Avalanche had decreased to just 59 from a high of more than 26,000 in October 2009, raising concerns that a more damaging successor may be on the way.^[1]^[2]

References

^ ^a ^b ^c ^d ^e Aaron, Greg - Director, Key Account Management and Domain Security at Afilias (2010). "Global Phishing Survey: Trends and Domain Name Use 2H2009" (PDF). APWG Industry Advisory. Archived from the original (PDF) on 1 June 2010. Retrieved 2010-05-17. {{cite journal}}: Unknown parameter |coauthors= ignored (|author= suggested) (help); Unknown parameter |deadurl= ignored (|url-status= suggested) (help)CS1 maint: multiple names: authors list (link)
^ ^a ^b Greene, Tim. "Worst Phishing Pest May be Revving Up". PC World. Archived from the original on 20 May 2010. Retrieved 2010-05-17. {{cite news}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
^ McMillan, Robert (2010-05-12). "Report blames 'Avalanche' group for most phishing". Network World. Retrieved 2010-05-17.
^ McMillan, Robert (2010-05-12). "Report blames 'Avalanche' group for most phishing". Computerworld. Archived from the original on 16 May 2010. Retrieved 2010-05-17. {{cite news}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
^ ^a ^b ^c ^d "Phishing Trends Report: Analysis of Online Financial Fraud Threats Second Quarter, 2009" (PDF). Internet Identity. Retrieved 2010-05-17.
^ Kaplan, Dan (2010-05-12). ""Avalanche" phishing slowing, but was all the 2009 rage". SC Magazine. Retrieved 2010-05-17.
^ Mohan, Ram (2010-05-13). "The State of Phishing - A Breakdown of The APWG Phishing Survey & Avalanche Phishing Gang". Security Week. Retrieved 2010-05-17.
^ Naraine, Ryan. "'Avalanche' Crimeware Kit Fuels Phishing Attacks". ThreatPost. Kaspersky Lab. Retrieved 2010-05-17.
^ Ito, Yurie. "High volume criminal phishing attack known as Avalanche the delivery method for the Zeus botnet infector". ICANN Situation Awareness Note 2009-10-06. ICANN. Archived from the original on 2 April 2010. Retrieved 2010-05-17. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)

[aaron1-1] Aaron, Greg - Director, Key Account Management and Domain Security at Afilias (2010). "Global Phishing Survey: Trends and Domain Name Use 2H2009" (PDF). APWG Industry Advisory. Archived from the original (PDF) on 1 June 2010. Retrieved 2010-05-17. {{cite journal}}: Unknown parameter |coauthors= ignored (|author= suggested) (help); Unknown parameter |deadurl= ignored (|url-status= suggested) (help)CS1 maint: multiple names: authors list (link)

[greene1-2] Greene, Tim. "Worst Phishing Pest May be Revving Up". PC World. Archived from the original on 20 May 2010. Retrieved 2010-05-17. {{cite news}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)

[mcmillan1-3] McMillan, Robert (2010-05-12). "Report blames 'Avalanche' group for most phishing". Network World. Retrieved 2010-05-17.

[mcmillan2-4] McMillan, Robert (2010-05-12). "Report blames 'Avalanche' group for most phishing". Computerworld. Archived from the original on 16 May 2010. Retrieved 2010-05-17. {{cite news}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)

[iid1-5] "Phishing Trends Report: Analysis of Online Financial Fraud Threats Second Quarter, 2009" (PDF). Internet Identity. Retrieved 2010-05-17.

[kaplan1-6] Kaplan, Dan (2010-05-12). ""Avalanche" phishing slowing, but was all the 2009 rage". SC Magazine. Retrieved 2010-05-17.

[mohan1-7] Mohan, Ram (2010-05-13). "The State of Phishing - A Breakdown of The APWG Phishing Survey & Avalanche Phishing Gang". Security Week. Retrieved 2010-05-17.

[naraine1-8] Naraine, Ryan. "'Avalanche' Crimeware Kit Fuels Phishing Attacks". ThreatPost. Kaspersky Lab. Retrieved 2010-05-17.

[icann1-9] Ito, Yurie. "High volume criminal phishing attack known as Avalanche the delivery method for the Zeus botnet infector". ICANN Situation Awareness Note 2009-10-06. ICANN. Archived from the original on 2 April 2010. Retrieved 2010-05-17. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

v t e Scams and confidence tricks
Terminology	Scam Error account Shill Shyster Sucker list
Notable scams and confidence tricks	1992 Indian stock market scam 2G spectrum case Advance-fee scam Art student scam Badger game Bait-and-switch Black money scam Blessing scam Bogus escrow Boiler room Bride scam Charity fraud Clip joint Coin-matching game Coin rolling scams Drop swindle Embarrassing cheque Exit scam Extraterrestrial real estate Fiddle game Fine print Foreclosure rescue scheme Foreign exchange fraud Fortune telling fraud Gem scam Get-rich-quick scheme Green goods scam Hustling Indian coal allocation scam IRS impersonation scam Intellectual property scams Kansas City Shuffle Locksmith scam Long firm Miracle cars scam Mismarking Mock auction Moving scam Overpayment scam Patent safe Pig in a poke Pigeon drop Pork barrel Pump and dump Redemption/A4V schemes Reloading scam Return fraud Salting Shell game Sick baby hoax SIM swap scam Slavery reparations scam Spanish Prisoner SSA impersonation scam SSC Scam Strip search phone call scam Swampland in Florida Technical support scam Telemarketing fraud Thai tailor scam Thai zig zag scam Three-card monte Trojan horse White van speaker scam Work-at-home scheme
Internet scams and countermeasures	Avalanche Pig Butchering Carding Catfishing Click fraud Clickjacking Cramming Cryptocurrency scams Cybercrime CyberThrill DarkMarket Domain name scams Email authentication Email fraud Internet vigilantism Lenny anti-scam bot Lottery scam PayPai Phishing Referer spoofing Ripoff Report Rock Phish Romance scam Russian Business Network SaferNet Scam baiting 419eater.com Jim Browning Kitboga Scammer Payback ShadowCrew Spoofed URL Spoofing attack Stock Generation Voice phishing Website reputation ratings
Pyramid and Ponzi schemes	Aman Futures Group Bernard Cornfeld Caritas Dona Branca Earl Jones Ezubao Foundation for New Era Philanthropy Franchise fraud High-yield investment program (HYIP) Investors Overseas Service Kapa investment scam Kubus scheme Madoff investment scandal Make Money Fast Matrix scheme MMM Petters Group Worldwide Pyramid schemes in Albania Reed Slatkin Saradha Group financial scandal Secret Sister Scott W. Rothstein Stanford Financial Group Welsh Thrasher faith scam
Lists	Con artists Confidence tricks Criminal enterprises, gangs and syndicates Impostors In the media Film and television Literature Ponzi schemes