Single group did 66% of world's phishing
Avalanche of attacks
A single criminal operation was responsible for two-thirds of all phishing attacks in the second half of 2009 and is responsible for a two-fold increase in the crime, a report published this week said.
The Avalanche gang is believed to have risen out of the ashes of the Rock Phish outfit, which by some estimates was responsible for half the world's phishing attacks before fizzling out in late 2008. Driving the success of both groups is their use of state-of-the-art technology for mass-producing imposter websites and distributing huge amounts of crimeware for automating identity theft.
"Avalanche uses the Rock's techniques but improved upon them, introducing greater volume and sophistication," the report, released by the Anti-Phishing Working Group, stated.
Central to Avalanche's success is its use of fast-flux botnets to host phishing sites. The use of peer-to-peer communications makes it impossible for a single ISP or hosting provider to to pull the plug on the infrastructure. The gang also excels at launching attacks from a relatively small number of domain names that often appear confusingly identical to each other, such as 11f1iili.com and 11t1jtiil.com. Those abilities also fuel the success.
There were 126,697 phishing attacks during the second half of 2009, more than double the number in the first half of the year or from July through December of 2008, the APWG report said. Avalanche, which was first identified in December of 2008, was responsible for 24 percent of phishing attacks in the first half of 2009 and for 66 percent in the second half. From July through the end of the year, Avalanche targeted the more than 40 major financial institutions, online services, and job search providers.
Curiously, Avalanche may turn out to be a victim of its own success.
"During an Avalanche campaign, it was not unusual for the target institutions, the relevant domain name registrar(s), a domain name registry, and other responders and service providers to all be aware of the campaign and working on mitigation at the same time," the report stated. "As a result, Avalanche attacks had a much shorter average uptime than non-Avalanche phishing attacks, and community efforts partially neutralized the advantage of the fast-flux hosting."
White hats briefly shut down the Avalanche infrastructure in mid November, and ever since then phishing attacks generated by the group have dropped precipitously. Last month, the gang launched just 59 attacks, each one with a separate domain.
A PDF of the report is here. ®
@ A successful phishing attack relies on...
Unfortunately it's not so simple. As more and more activities go online we'll be seeing people catching up but with a learning curve. During these transition periods there is an opportunity for phishers to take advantage of the fact that there is still some unfamiliarity with the new way things are getting done.
... and that doesn't even begin to count DNS poisoning or other flaws in the way we've become accustomed to using the internet.
For example, if you open your browser and type the URL of your bank (or use a shortcut, Google search result - whichever) and you are taken to a page that looks EXACTLY like your bank's page, including seeing the URL in the browser and a secure connection, what would make even the more savvy netizens stop and resolve the URL to an IP number and have a record of what the IP # is supposed to be to compare against that?
Generally it would take an extra paranoid person to do that, and where does it end, do you keep a list of every IP number and continually update it as networks change, never surfing anywhere without doing this check? I know of nobody that does this, though some avoid doing online banking for security reasons and are ironically thought of as technically challenged because of it.
smell of the C
A successful phising attack relies on...
....there being a sucker or two out there.
Unfortunately, this is always going to be a truism.
Penguin: We like to fish