After eight years of its existence, Avalanche Botnet has now been dismantled in a 4-year-long international operation.
On 30 November, German prosecutors and police – working hand in hand with the Department of Justice and the FBI in the U.S., the EU’s law enforcement agency and other global partners – managed to disembody the international criminal network involved in phishing attacks, bank fraud, and ransomware for years around the world.
Avalanche botnet
Avalanche was first discovered in December 2008 and was believed to have its base in Eastern Europe. Security experts gave the international cybercriminals the name ‘Avalanche’ due to the high volume of its attacks.
In 2010, the Anti-Phishing Working Group’s (APWG) report found that Avalanche was responsible for two-thirds of all phishing attacks launched in the second half of 2009, and was responsible for the overall increase in phishing attacks recorded across the internet. The figure for the second half of 2009 was for more than 84,000 out of 127,000 phishing attacks.
It’s reported that they sent more than a million emails with malicious attachments on a weekly basis.
Nature of their attacks
Techniques Avalanche used were sophisticated and quick. They’d use spam emails pretending to be trustworthy organisations such as the FBI, the Association of Chief Police Officers, and financial institutions. These emails were a click-bait for victims to install malicious software attached to the emails. The malware could then steal personal information like passwords, credit card information, and even allowed cybercriminals remote access to an infected computer.
It took a very long time to clamp down on the cybercriminals, as Avalanche hosted its domains on compromised computers, also known as a botnet. There wasn’t a single hosting provider, which made it difficult to take down the criminal network.
Avalanche also used a fast-flux DNS. This technique allowed the cybercriminals to hide their server’s IP address, which meant that they could join and drop a network a lot quicker than any law enforcement officials could trace. It was like a cat and mouse chase.
The botnet served multiple phishing attacks and at least 17 different malware families to victims, and the law enforcement officials managed to seize 800,000 internet domains used by Avalanche. Representatives of the FBI and the U.S. Department of Justice issued a statement to say that:
“…the operation involves arrests and searches in five countries … and more than 50 Avalanche servers worldwide were taken offline.”
EU’s law enforcement agency
Europol, the EU’s law enforcement agency, provided further details of the operation, stating:
“[Five] individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked.”
The ongoing battle…
This is a small victory in the fight against cyber-terrorism. By terminating “the world’s most prolific phishing gang”, this sends out a strong message to other cybercriminal networks that law enforcement agencies will fight until cybercrimes are something of the past.
However, that may be wishful thinking as cybercrime has been on an upward rise in the past few years.