Application security, Malware, Phishing, Vulnerability Management

“Avalanche” phishing slowing, but was all the 2009 rage

A single crime syndicate dominated the phishing scene last year, but the outfit appears to be taking quieter breaths in 2010, a new report concludes.

The Eastern European-based ring, dubbed Avalanche, was responsible for roughly two-thirds of all phishing attacks launched in the second half of last year, according to a study released Wednesday by the nonprofit Anti-Phishing Working Group (APWG). That is up significantly from the first half of 2009, when Avalanche was blamable for a quarter of all phishes.

Specifically during the second half of last year, Avalanche accounted accounted for 84,250 of 126,597 total phishing attacks, defined as a phishing site that targets a specific brand, the report said. The 126,597 number was more than double the amount of phishing attacks recorded during the first half of 2009.

In Avalanche's case, victimized brands included some 40 financial services companies and online service and job search providers

Aside from phishing, Avalanche also has been responsible for delivering emails containing links pointing to the dangerous Zeus data-stealing trojan.

What has made the group so successful is its advanced infrastructure, and most agree Avalanche is a successor to the Rock Phish ring, considered the first syndicate to automate phishing, said Rod Rasmussen, founder and CTO of security firm Internet Identity and co-author of the report.

Avalanche hosts its domains on a botnet consisting of compromised PCs and uses fast-flux techniques to hide the host server, he said.

"It's very simple for them to set up new attacks when someone takes down the old domains," Rasmussen told

And there is little anyone can do, aside from the domain registrars and registries.

"Because Avalanche is running its own hosting, the only way to stop it is to suspend domain names," Greg Aaron, director of domain security at Afilias, registry operator for the .info top-level domain. told

But after a year of pummeling attacks courtesy of Avalanche, involved parties got wise, according to the report.

"Because they were so damaging, prevalent, and recognizable, Avalanche attacks received concentrated attention from the response community," the APWG report said. "During an Avalanche campaign, it was not unusual for the target institutions, the relevant domain name registrar(s), a domain name registry, and other responders and service providers to all be aware of the campaign and working on mitigation at the same time. As a result, Avalanche attacks had a much shorter average uptime than non-Avalanche phishing attacks, and community efforts partially neutralized the advantage of the fast-flux hosting. Despite this, the attacks were obviously profitable, and they continued in volume."

A weeklong disabling of the Avalanche botnet at the hands of the security community prompted Avalanche operators to significantly shift their strategy beginning last November, the report said.

This has resulted in far fewer attacks. In April, the syndicate was responsible for 59, compared to 924 in October.

There is no way to tell if Avalanche is done for good, or if the drop-off is just a temporary lull, experts said. However, its operations surely will spur on copycats.

"What these guys have done is shown other people how to do things that are effective," Rasmussen said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.