“Avalanche began attacks in December 2008 and ramped up significantly in early 2009, quickly becoming the most prolific and dangerous operation on the internet,” the report states.
The Avalanche cybercrime group, which has spoofed more than 30 financial institutions, along with other online services and job search companies, was responsible for 24 percent of all phishing attacks during the first half of the year, according to the APWG's Global Phishing Survey, released last week.
“These attacks involve domain names registered by the phishers, set up on name servers controlled by the phishers, and hosted on a fast-flux network of apparently compromised consumer-level machines,” the report states.
Fast-flux hosting often increases the longevity of an attack site because it makes it more difficult to get the domain taken down, the report states.
The Avalanche gang registers domains at one to three registrars at a time, looking for potentially inattentive or vulnerable domain registrars that will not notice the crimes being committed, the report concluded. In one attack, for example, the gang chose a registrar in small country and used stolen credit card numbers from consumers in that country to evade detection. If a registrar does suspend the domains, the Avalanche gang simply begins registering domains elsewhere.
Even though the Avalanche gang uses fast-flux hosting, its attack sites stayed up for a significantly shorter period of time than other phishing sites, the report states. On average, a phishing site during the first quarter of the year stayed up 39 hours, while Avalanche sites lasted roughly 18 hours.
Registrars are highly aware of this criminal group, the report states. Also, Avalanche domains are often registered with stolen credit cards, and registrars are generally quick to cancel fraudulently registered domains. But the Avalanche gang hasn't pared down its phishing efforts just because the effectiveness of its fast-flux network is in question.
“Avalanche attacks increased significantly into the third quarter of the year, and preliminary numbers indicate a possible doubling of attacks in the summer of 2009,” the report states.