The Register® — Biting the hand that feeds IT

Feeds

Single group did 66% of world's phishing

Avalanche of attacks

By Dan Goodin, 13th May 2010
  • print
  • alert

Customer Success Testimonial: Recovery is Everything

A single criminal operation was responsible for two-thirds of all phishing attacks in the second half of 2009 and is responsible for a two-fold increase in the crime, a report published this week said.

The Avalanche gang is believed to have risen out of the ashes of the Rock Phish outfit, which by some estimates was responsible for half the world's phishing attacks before fizzling out in late 2008. Driving the success of both groups is their use of state-of-the-art technology for mass-producing imposter websites and distributing huge amounts of crimeware for automating identity theft.

"Avalanche uses the Rock's techniques but improved upon them, introducing greater volume and sophistication," the report, released by the Anti-Phishing Working Group, stated.

Central to Avalanche's success is its use of fast-flux botnets to host phishing sites. The use of peer-to-peer communications makes it impossible for a single ISP or hosting provider to to pull the plug on the infrastructure. The gang also excels at launching attacks from a relatively small number of domain names that often appear confusingly identical to each other, such as 11f1iili.com and 11t1jtiil.com. Those abilities also fuel the success.

There were 126,697 phishing attacks during the second half of 2009, more than double the number in the first half of the year or from July through December of 2008, the APWG report said. Avalanche, which was first identified in December of 2008, was responsible for 24 percent of phishing attacks in the first half of 2009 and for 66 percent in the second half. From July through the end of the year, Avalanche targeted the more than 40 major financial institutions, online services, and job search providers.

Curiously, Avalanche may turn out to be a victim of its own success.

"During an Avalanche campaign, it was not unusual for the target institutions, the relevant domain name registrar(s), a domain name registry, and other responders and service providers to all be aware of the campaign and working on mitigation at the same time," the report stated. "As a result, Avalanche attacks had a much shorter average uptime than non-Avalanche phishing attacks, and community efforts partially neutralized the advantage of the fast-flux hosting."

White hats briefly shut down the Avalanche infrastructure in mid November, and ever since then phishing attacks generated by the group have dropped precipitously. Last month, the gang launched just 59 attacks, each one with a separate domain.

A PDF of the report is here. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

COMMENTS

House Rules Send Corrections
All Reader Comments (3)
Latest Comments
JC 2

@ A successful phishing attack relies on...

Unfortunately it's not so simple. As more and more activities go online we'll be seeing people catching up but with a learning curve. During these transition periods there is an opportunity for phishers to take advantage of the fact that there is still some unfamiliarity with the new way things are getting done.

... and that doesn't even begin to count DNS poisoning or other flaws in the way we've become accustomed to using the internet.

For example, if you open your browser and type the URL of your bank (or use a shortcut, Google search result - whichever) and you are taken to a page that looks EXACTLY like your bank's page, including seeing the URL in the browser and a secure connection, what would make even the more savvy netizens stop and resolve the URL to an IP number and have a record of what the IP # is supposed to be to compare against that?

Generally it would take an extra paranoid person to do that, and where does it end, do you keep a list of every IP number and continually update it as networks change, never surfing anywhere without doing this check? I know of nobody that does this, though some avoid doing online banking for security reasons and are ironically thought of as technically challenged because of it.

0
0
Al fazed
Reply Icon

And

smell of the C

ALF

0
0
Anonymous Coward

A successful phising attack relies on...

....there being a sucker or two out there.

Unfortunately, this is always going to be a truism.

Penguin: We like to fish

0
1

More from The Register

breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19
Critical Java SE update due Tuesday fixes 40 flaws
And yes, most are remotely exploitable
33
Kaspersky slips server security into PC software as attackers get crafty
Want to bag a CEO? Aim for his family
8
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15