A single criminal gang was responsible for two thirds of the world's phishing attacks in the second half of 2009, the Anti-Phishing Working Group (APWG) has revealed.
According to an APWG report, an organisation called "Avalanche" was prolific in targeting vulnerable and unresponsive domain name registrars and registries, leading to an explosion of phishing activity in the latter part of last year before the group went quiet in November 2009.
The dominance of a single group is by no means new, with Avalanche itself the successor to the Rock Phish group that was active between 2006 and mid-2008.
However, the APWG says Avalanche built on the techniques used by Rock Phish to become even more successful. The group first appeared in December 2008, and its involvement in one in four phishing attacks in the first half of 2009 saw it emerge as a clear threat.
But its activities truly peaked in the second half of the year, when two-thirds of the 126,000-odd fake websites designed to dupe unsuspecting internet users into divulging their personal details were set up and operated by Avalanche. And given that the group went quiet in November, the real figure for much of that period was even higher.
"This criminal entity is one of the most sophisticated and damaging on the internet, and perfected a mass-production system for deploying phishing sites and 'crimeware' - malware designed specifically to automate identity theft and facilitate unauthorised transactions from consumer bank accounts," the report says.
Most of Avalanche's sites were spread over just a few top-level domains, including .eu (33 per cent), .com (23 per cent), .uk (16.1 per cent) and .net (13.8 per cent). It used fast-flux botnets to conceal its operations, registering and unregistering large numbers of IP addresses with a number of directory names. Its attack machines were commandeered through peer-to-peer botnets, with phishing traffic proxied to provide another level of concealment.
Avalanche was also instrumental in spreading the Zeus Trojan, which helps fraudsters steal data such as passwords and other personal information.
The APWG says the focus in taking on the network helped reduce the average lifetime of a phishing attack from 48 minutes in 2008 to under 36 minutes in the latter half of 2009. Non-Avalanche attacks were the invariably more successful, typically remaining active for four times as long as Avalanche-created attacks.
From July onwards, Avalanche was responsible for targeting in excess of 40 major financial institutions, services and job search providers. However, after its infrastructure was briefly disabled in mid-November, the group changed its approach and appears to have become all but invisible on the phishing landscape. The details of how the network was compromised remain unclear as legal investigations are still ongoing.
Yet despite all the evidence pointing to Avalanche's operations having been dismantled, its emergence in the first place suggests it's simply a matter of time until another group rises to fill the void, the APWG says.
"As of this writing, Avalanche has dwindled to a shadow of its former self. Will Avalanche fade for good or will it too be reborn as something new?" the report speculates.
