Avalanche is top phishing gang by far this year

One group responsible for 25 per cent of all phishing attacks in first six months of this year

A single group of attackers accounted for a quarter of all phishing in the first half of this year, according to a new study.

Called Avalanche, the gang started work late last year and has been increasing its activity since, according to a report by the Anti-Phishing Working Group.  "This criminal operation is one of the most sophisticated and damaging on the Internet and targets vulnerable or non-responsive registrars and registries," the report says.

The group attacks financial institutions, online services and job-search providers using fast-flux techniques that hide its actual attack sites behind an ever changing group of proxy machines, mainly hacked consumer computers, according to APWG's latest Global Phishing Survey.

Rather than dying out after efforts to take down the Avalanche efforts, the gang seems to be increasing its efforts. "Avalanche attacks increased significantly in the third quarter of the year, and preliminary numbers indicate a possible doubling of attacks in the summer of 2009," the report says. The report period ends July 1, so the next report for the second half of this year will examine the apparent surge in detail.

Because the IP addresses that the attacks seem to be coming from are constantly shifting, notifying ISPs of the problem doesn't work. By the time the ISPs shut down the IP addresses the attack proxies have moved somewhere else, the report says.

The Avalanche gang registers domains at one to three registries or resellers and test whether the registrars notice that they are registering domain names that are nearly identical. If not, they launch attacks from these domains, and if the registrar takes action against them, they just abandon the domains and move on.

An example of these similar domains is given in the report: 11fjfhi.com, 11fjhj.com, 11fjfh1.com, 11 fjfhl.com. Each domain is used to launch up to 30 attacks, APWG says.

Avalanche attacks just one or two businesses at a time and frequently cycles back to re-attack older targets, the report says.

Because mitigation efforts by ISPs and others focused on Avalanche, the average lifetime of each Avalanche attack was significantly lower than the average for all attacks, the report says. The average uptime for all attacks was 39 hours, 11 minutes; for Avalanche attacks, it was 18 hours, 45 minutes, the study says.

APWG researchers consider an attack dead if it stays inactive for an hour. These attacks could be started up again after an hour, which would extend their longevity but would not be measured by the report, the researchers say. So the lifespan of Avalanche attacks may be longer than the report results indicate.

In other study results, it appears that using hacked domains as launch pads for attacks is increasing. Some 14.5 per cent of phishing attacks came from what APWG called malicious domains registered by phishers themselves. That is down from 18.5 per cent in the second half of last year, the period for the group's previous Global Phishing Survey. "Virtually all the rest were hacked or "compromised" domains belonging to innocent site owners," the study says.

Of the malicious domains, 43 per cent were launchpads for the Avalanche attack.

Two top level domains - .pe (Peru) and .th (Thailand) – score highest in a measure of how many second and third level domains within them are used to launch phishing attacks. The average score across all domains was 6.9, and .pe scored 20 while .th scored 16.

Overall, attacks came from 30,131 domains distributed among 171 top level domains. Half (50.3 per cent) of these domains fell within the .com top level domain, 8.5 per cent within .net and 5.6 within .org. The next three most often used top level domains were .eu, .ru and .de, all with less than 3 per cent.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags avalancheAnti-Phishing Working Group (APWG)phishing

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?