Worst Phishing Pest May be Revving Up

The single most active group for stealing identities and pilfering electronic bank accounts over the Internet has nearly ground to a halt, but the lull could be the precursor to an even worse crime spree, according to a new study.

Attacks by the group known as Avalanche plummeted from 26,411 last October to just 59 last month, the Anti-Phishing Working Group (APWG) in its "Global Phishing Survey: Trends and Domain Name Use 2H2009".

Are you ready for these Internet security threats?But a similar shutdown of a group known as Rock Phish that was active between 2006 and the summer of 2008 was followed quickly by Avalanche, which was even more effective, APWG says. Avalanche first appeared in December of 2008.

With Avalanche seemingly winding down, a worse successor could be poised to take over. "As of this writing, Avalanche has dwindled to a shadow of its former self. Will Avalanche fade for good or will it too be reborn as something new?" the APWG report says.

Before it wound down, Avalanche dominated all phishing activity for more than a year. In the second half of last year it soared to account for two-thirds of all phishing worldwide, APWG says. During the first half of 2009, Avalanche also dominated but was responsible for only 25% of all phishing, APWG said in its last report.

"This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and 'crimeware' -- malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts," the study says.

Avalanche uses fast-flux hosting to hide its attack machines by registering and unregistering their IP addresses with different directory names to avoid detection. These machines are commandeered by botnets and proxy the phishing traffic to further conceal the source of the activity.

The Avalanche infrastructure also distributed the Zeus Trojan that sets up infected machines to be taken over by attackers who then steal data including passwords and personal information.

Avalanche used just a few top-level domain names for the bulk of its activity -- .eu (33%), .com (23%), .uk (16.1%) and .net (13.8%). The gang seems to avoid top-level domains where registries monitor for outbreaks, tell registrars about them and take down domain names if the registrar doesn't do so. Among these are .BIZ, .INFO, .ORG and .HK.

Concerted efforts to stop Avalanche seems to have had some effect -- reducing the lifetime of individual phishing attacks even if the total number increased. Victims of attacks, registrars, registries and others coordinated efforts to block out Avalanche, APWG says. Perhaps as a result the average uptime for an attack dropped from more than 48 minutes in 2008 to less than 36 minutes during the second half of 2009.

Non-Avalanche phishing attacks stayed up on average four times longer than Avalanche attacks, indicating concentrated efforts to fight Avalanche were working and keeping its creators constantly on the move, APWG says.

Read more about wide area network in Network World's Wide Area Network section.

This story, "Worst Phishing Pest May be Revving Up" was originally published by Network World.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon