Avalanche Phishers Migrate to Zeus

Most Prolific Gang Hangs Up Nets, Gets Behind Malware
Avalanche Phishers Migrate to Zeus
The Avalanche crime group, the world's most prolific phishing gang, has moved from using conventional phishing to solely propagating Zeus, the most famous and stealthy password-stealing malware, say security researchers in a new report.

The Anti Phishing Working Group's "Global Phishing Survey: Trends and Domain Name Use in 1H2010" says Zeus doesn't need the victim's cooperation to surrender financial account credentials.

APWG researchers from Afilias and Internet Identity found that while the Avalanche botnet infrastructure had previously been used to launch conventional spam-based phishing attacks, over the past two years the phishing has been replaced with a scheme that infects users' computers with Zeus.

The phishing syndicate had been successfully using the Avalanche botnet for conventional spam-based phishing attacks that provoke a user to visit a counterfeit website and enter or his or her credentials, says Rod Rasmussen, co-author of the report.

This Avalanche phishing botnet accounted for two-thirds of all phishing attacks observed worldwide in the second half of 2009. But the Avalanche infrastructure was involved in just four conventional phishing attacks in the month of July 2010, Rasmussen says.

What happened instead was the Avalanche-based syndicate built a "concerted campaign of malware propagation to fool victims into receiving the Zeus crimeware and infecting their computers with it," Rasmussen says. Avalanche has been sending billions of faked messages from tax authorities such as the IRS, false alerts/updates purporting to be from popular social networking sites such as LinkedIn, Facebook and other lures.

These lures, Rasmussen says, take victims to drive-by download sites, where the criminals infect vulnerable machines. Once a machine is infected, the criminals can remotely access it, steal the personal information stored on it, and intercept passwords and online transactions. The criminals can even log into the victim's machine to perform online banking transactions.

ACH Fraud Linked to Attacks

The attacks being supported by the Avalanche infrastructure are the very nasty Zeus variants that the entire banking and security industries have been talking about over the past several months, says Rasmussen. These attacks are a prelude to the criminals using the stolen banking credentials to perform corporate account takeover, stealing millions from commercial bank accounts via ACH fraud and wire transactions.

"The impact on small/medium sized businesses, charities, local government agencies and other entities is well documented," he adds.

The recent FS-ISAC guidance on corporate account takeover for businesses "does a great job of going into many measures (probably too many) that small and medium businesses, who are the primary targets of these attacks, can take," Rasmussen says.

His main advice remains for businesses and other organizations that don't have Reg E protection is "buy a cheap computer dedicated solely to online banking and no other purposes." There are a host of other measures that can be taken by ISPs, businesses and organizations, i.e. promising techniques of blocking access at the perimeter, including "botted" computer detection/mitigation with walled gardens and/or isolation, he says. These should be implemented on several layers from the firewall to IDS/IPS and even DNS resolution.

Shift in Cyber Crime

"While the cessation of phishing operations by the Avalanche phishing group is great news for the anti-phishing community, their shift to the nearly exclusive distribution of Zeus malware is an ominous development in the cybercrime landscape," says Rasmussen. The spamming and other activities to target victims continues at high levels, "implies they are finding malware distribution a more effective and profitable tactic than traditional phishing," he adds.

The lack of phishing operations doesn't mean that the criminals stopped looking for alternate ways to infect computers, says Greg Aaron, the other co-author of the report. "The Avalanche criminals recently rented a large botnet called Cutwail to send out massive amounts of spam lures. Those spams led unsuspecting Internet users to Zeus malware hosted on the Avalanche botnet." He says this is a good example of how cybercriminals don't work in isolation, often using multiple tools - spam, malware, botnets, and phishing - to do their work.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network