Actu
APWG Report: Global E-Crime Gang Completes Transitionto Crimeware Propagation as Principal Online Bank Account FraudStrategy
October 2010 by APWG
The world’s most prolific phishing gang has completed a transition from
using conventional phishing to massively propagating stealthy
password-stealing crimeware that does not require user cooperation to
surrender financial account credentials, according to a report released
this week by APWG.
APWG researchers from Afilias and Internet Identity found that while the
Avalanche botnet infrastructure had been used to launch conventional
spam-based phishing attacks over the past two years, the phishing has
been replaced with a scheme that infects users’ PCs with the potent Zeus
Trojan, a powerful banking credential-stealing malware.
The phishing syndicate had been successfully using the Avalanche botnet
for conventional spam-based phishing attacks that provoke a user to
visit a counterfeit website and enter or his or her credentials. This
Avalanche phishing accounted for two-thirds of all phishing attacks
observed worldwide in the second in late 2009.
But the Avalanche infrastructure was involved in just four conventional
phishing attacks in the month of July 2010. Instead, the Avalanche-based
syndicate ramped up a concerted campaign of crimeware propagation to
fool victims into receiving the Zeus crimeware and infecting their PCs
with it. Avalanche has been sending billions of faked messages from tax
authorities such as the IRS, false alerts/updates purporting to be from
popular social networking sites, and other lures. These lures take
victims to drive-by download sites, where the criminals infect
vulnerable machines.
Once a machine is infected, the criminals can remotely access it, steal
the personal information stored on it, and intercept passwords and
online transactions. The criminals can even log into the victim’s
machine to perform online banking transactions.
"While the cessation of phishing operations by the Avalanche phishing
group is great news for the anti-phisihing community, their shift to the
nearly exclusive distribution of Zeus malware is an ominous development
in the e-crime landscape," said study co-author Rod Rasmussen. "Their
spamming and other activities to target victims continues at high
levels, implying they are finding malware distribution a more effective
and profitable tactic than traditional phishing.”
Co-author Greg Aaron added: “The Avalanche criminals recently rented a
large botnet called Cutwail to send out massive amounts of spam lures.
Those spams led unsuspecting Internet users to Zeus crimeware hosted on
the Avalanche botnet. So this is a good example of how e-criminals don’t
work in isolation, and often use multiple tools – spam, malware,
botnets, and phishing – to do their work.”
Highlights of the Global Phishing Survey: Trends and Domain Name Use in
1H2010 also include:
• The Avalanche phishing gang migrated to distributing the dangerous
Zeus crimeware
• Average uptime of all phishing attacks rose from previous periods
• Phishers continue to use subdomain services to host and manage
phishing sites
• Amount of Internet domain names and numbers used for phishing was
steady as number of registered domain names has grown
The complete report is available here:
http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_1H2010.pdf
