'Avalanche' Group Linked to FraudNew Report Says Phishers Now Use Zeus to Target Banks, Businesses
"Avalanche" is the name given to the world's most prolific phishing gang and to the infrastructure it uses to host phishing sites. And this is the group that has shifted additional resources to the creation of spoof sites and spam lures that distributed the very latest, most malignant Zeus variants, says Rod Rasmussen, co-author of the global phishing study released by the Anti-Phishing Working Group.
"Many of these attacks were tied directly to eventual losses to small and medium businesses," Radmussen says. In particular, he says the IRS and bank "certificate" versions of Avalanche's 'Zeus phish' were "very effective attacks that garnered a lot of attention in the banking and security industries."
The report shows Avalanche successfully targeted some 40 banks and online service providers, and vulnerable or non-responsive domain name registrars and registries. The businesses were hit with the Zeus Trojan embedded in the phishing emails. The Zeus Trojan malware is designed specifically to steal banking credentials. The businesses then became victims of fraudulent ACH and wire transactions, as the criminals posed as employees of the business, moving thousands of dollars to overseas locations.
The same story has played over and over at small businesses, municipal governments and other entities around the country over the past two years. The increasing number of these crimes has upped the fervor to a level where industry associations and regulators have formed a task force to address the problem, and the FDIC recently held an open meeting to discuss the issue.
Avalanche in 'Special Category'
The thing that is most troubling to Gary Warner, a forensics expert, is "the clear signs that Avalanche is using Zeus as well." Warner is Director of Research in Computer Forensics at the University of Alabama Birmingham (UAB). He is also co-chair of the Working with Law Enforcement Committee of the APWG.
The inclusion of Zeus Trojan payloads in phishing emails sent by Avalanche, as well as the extreme volume of phishing that the group is producing, "puts them in a special category all by themselves," Warner says.
Before the concerted efforts began to take down the Avalanche domains, Warner says, at one point more than six percent of all email his lab saw was spam mail coming from the Avalanche group's Zeus section. "That is a huge percentage when you consider how many emails that means the group was sending," says Warner.
A research firm, Radicati Group, estimates that in parts of 2009 the number of emails sent per day was around 247 billion.
Warner says law enforcement has been informed of the link between Avalanche and the emails that have been hitting small and medium businesses. "I really can't comment on what they're doing with the information, as it is an ongoing investigation, but all of the data have been shared with law enforcement."
Institutions Fight Back
The data shows that the anti-phishing community, including the targeted institutions, security responders, and domain name registries and registrars, became very adept at identifying and shutting down Avalanche's attacks on a day-to-day basis. Further, a coordinated action against Avalanche's infrastructure in November 2009 has led to an ongoing, significant reduction in attacks through April 2010, says Rasmussen. The researchers advise all institutions to educate employees and customers about safe computing practices to help deter infection by phishing emails.
The report also shows median up-times for all phishing attacks on the Internet have fallen 40 percent over the past two years. "Part of that decrease is due to the concentrated effort to take down Avalanche's voluminous attacks, but the uptimes of non-Avalanche phish remain a concern," Rasmussen says.
Still, he notes, the falling times point to some improved awareness, responsiveness, and detection across the board. The security researchers also see that domain name industry players are becoming increasingly sophisticated about e-crime. "But there's a lot of work still to be done," Rasmussen says, "because the best phishers actively seek out providers that are slow or reluctant to act."