Avalanche (commonly known as the Avalanche Gang) is a criminal syndicate involved in phishing attacks. In 2010, the Anti-Phishing Working Group (APWG) reported that Avalanche had been responsible for two-thirds of all phishing attacks in the second half of 2009, describing it as "one of the most sophisticated and damaging on the Internet" and "the world's most prolific phishing gang".[1] The name "Avalanche" also refers to the network of websites and systems which the gang uses to carry out its attacks.
Avalanche was discovered in December 2008, and may be a replacement for a successful phishing group known as Rock Phish which stopped operating in 2008.[2] It is believed to be run from Eastern Europe and was given its name by security researchers because of the high volume of its attacks.[3][4] Avalanche launched 24% of phishing attacks in the first half of 2009; in the second half of 2009, the APWG recorded 84,250 attacks by Avalanche, constituting 66% of all phishing attacks. The number of total phishing attacks more than doubled, an increase which the APWG directly attributes to Avalanche.[1]
Avalanche uses spam email purporting to come from trusted organisations such as financial institutions or employment websites. Victims are deceived into entering personal information on websites made to appear as though they belong to these organisations. Victims may also be asked to install software by email or at the websites. The software is malware which can log keystrokes, steal passwords and credit card information, and allow unauthorised remote access to the infected computer. Internet Identity's Phishing Trends report for the second quarter of 2009 said that Avalanche "have detailed knowledge of commercial banking platforms, particularly treasury management systems and the Automated Clearing House (ACH) system. They are also performing successful real-time man-in-the-middle attacks that defeat two-factor security tokens."[5]
Avalanche has many similarities to the previous group Rock Phish - the first phishing group which used automated techniques - but has been described as greater in scale and volume.[6] One of the techniques Avalanche uses is to host its domains on compromised computers which are part of a botnet. There is no hosting provider, so it is difficult to take down the domain, requiring the involvement of the responsible domain registrar. In addition, Avalanche uses fast-flux DNS, causing the compromised machines to change constantly. Avalanche attacks also spread the Zeus trojan horse enabling further criminal activity. The majority of domains which Avalanche uses belonged to national domain name registrars in Europe and Asia. This differs from other phishing attacks, where the majority of domains use U.S. registrars. It appears that Avalanche chooses registrars based on their security procedures, returning repeatedly to registrars which do not detect domains being used for fraud, or which were slow to suspend abusive domains.[5][7] Avalanche frequently registers domains with between one and three registrars, while testing others to check whether their distinctive domains are being detected and blocked. They target a small number of brands (such as specific financial institutions) at a time, but rotate these regularly. A domain which is not suspended by a registrar is often re-used in a later attack. The group has created a phishing "kit", which is pre-prepared for use with many brands.[8][5]
Avalanche has attracted significant attention from security organisations; as a result, the uptime of the domain names it uses is half that of other phishing domains.[1] In October 2009, ICANN, the organisation which manages the assignment of domain names, issued a Situation Awareness Note encouraging registrars to be pro-active in dealing with Avalanche attacks.[9] The UK registry, Nominet has changed its procedures to make it easier to suspend domains, because of attacks by Avalanche.[1] Interdomain, a Spanish registrar, began requiring a confirmation code delivered by mobile phone in April 2009 which successfully forced Avalanche to stop registering fraudulent domains with them.[5] In November 2009, security companies managed to shut down the Avalanche botnet for a short time; after this Avalanche reduced the scale of its activities and altered its modus operandi. By April 2010, attacks by Avalanche had decreased to just 59 from a high of more than 26,000 in October 2009, raising concerns that a more damaging successor may be on the way.[1][2]