The Anti-Phishing Working Group attributed 66 percent of the phishing attacks in the last six months of 2009 to a single cyber-gang known as Avalanche. The crew is suspected to be a successor to the notorious Rock Phish gang of years past.
New research from the Anti-Phishing Working Group (APWG) ties a
single crime syndicate to more than 60 percent of the phishing attacks
in the second half of 2009.
According to the report
a cyber-gang known as Avalanche was responsible for 66 percent of all
phishing attacks during the last six months of 2009 and successfully
targeted some 40 banks and online service providers. Also hit were
vulnerable or non-responsive domain name registrars and registries.
Besides phishing, the group also used its infrastructure to push the notorious Zeus Trojan
"Avalanche's impact was unprecedented," said Greg Aaron, director of
key account management and domain security at Afilias and
co-author of the study, in a statement. "This one criminal group
responsible for two-thirds of the world's phishing, and also combined
it with sophisticated crimeware distribution. The losses by banks
and individual Internet users were staggering."
According to APWG, there are indications the Avalanche crew is a successor to the infamous Rock Phish gang
operated from 2006 to 2008. Avalanche appeared in December of 2008, and
was responsible for 24 percent of the phishing attacks in the first
half of 2009.
"The Rock was the first to bring significant scale and automation to
phishing," the report states. "The Rock registered domain names
regularly and in large numbers, used fast-flux hosting to support its
phishing Web sites and extend their uptimes, and usually placed about
six discrete phishing attacks on each domain name."
Avalanche improved upon the Rock Phish gang's techniques, hosting
domains on a botnet consisting of compromised computers. Since no ISP
or hosting provider has control of the hosting and can take the pages
down, the domain name itself must be suspended by the domain registrar
or registry - making mitigation more difficult, the APWG noted.
In mid-November however security researchers were able to
disrupt the group's botnet for about a week, and since then gang has
launched fewer attacks. By March 2010, Avalanche was hosting only
one phishing attack on each domain it registered, and the number of
attacks fell from 7,089 in November to just 59 in April 2010,
according to the report.
"Avalanche's relentless activities led to the development of some
very effective counter-measures," explained Rod Rasmussen, founder and
CTO of Internet Identity and co-author of the study, in a statement.
"The data shows that the anti-phishing community -- including the
target institutions, security responders, and domain name registries
and registrars -- got very good at identifying and shutting down
Avalanche's attacks on a day-to-day basis."