Individual gang responsible for a third of all phishing attacks
According to a report by the Anti Phishing Working Group (APWG), approximately two thirds of all phishing attacks (126,000) recorded in the second half of 2009 were carried out by the same gang of phishers. The APWG thinks that the gang, called "Avalanche", could be a direct successor to the "Rock Phish" gang.
Rock Phish caused a media stir, particularly in 2006 and 2007, because its members used a certain user-friendly phishing toolkit. The toolkit was the first to support fast-flux networks in which the domain names used with phishing pages remain the same while IP addresses continue to change, pointing at (home) PCs infected with phishing pages. Phishers use this method to cover their tracks and strengthen their infrastructures, as it becomes impossible for hosting providers to interfere. Only the registrar can shut down the relevant domain.
The APWG says that phishers therefore use several hundred domains – and tend to register domain names with registrars who disregard or are slow to respond to notifications issued by investigation agencies or other authorities. If a registrar smells a phish, for example due to suspicious domain names, the phishers move on to the next careless registrar – and it seems there are still enough of those around.
Nevertheless, the Avalanche attacks were contained relatively quickly due to the co-operation between the affected banks, registrars and other service providers. In the past few years, the average "uptime" of phishing attacks decreased from 50 hours in early 2008 to 32 hours at the end of 2009, according to the APWG.
With countermeasures becoming available faster and faster, the Avalanche attacks may now have subsided: after peaking at 26,000 (and 924 different domain names) last October, activity was almost down to zero in April 2010.
The Avalanche gang’s most frequently registered top level domains were .eu (33%), .com (23%), .uk and .net. By comparison, other phishing gangs mainly used .com (47%) and .net (7%).
It's worth noting that the APWG has, so far, registered very few "homograph spoofing attacks" which are related to the recent support of the International Domain Names (IDNs). In these attacks, the characters of a URL appear to be correct but are actually spoofed. For instance, many fonts seemingly display the Cyrillic and Latin letter "a" in the same way, although the letters are actually represented by different characters (look-alike characters). Phishers could use this in theory to deceive users by spoofing such high profile addresses as www.paypal.com. However, the APWG suspects that the criminals don’t use this method because domain names aren’t really important anyway – it seems that users still don’t check their URLs thoroughly enough.
The complete report is available to download at Global Phishing Survey: Trends and Domain Name Use in 2H2009.
- Police apprehend Romanian phishing gang, a report from The H.