A single group of attackers accounted for a quarter of all phishing in the first half of this year, according to a new study.
Called Avalanche, the gang started work late last year and has been increasing its activity since, according to a report by the Anti-Phishing Working Group.
"This criminal operation is one of the most sophisticated and damaging on the Internet and targets vulnerable or non-responsive registrars and registries," the report says.
The group attacks financial institutions, online services and job-search providers using fast-flux techniques that hide its actual attack sites behind an ever changing group of proxy machines, mainly hacked consumer computers, according to APWG's latest Global Phishing Survey.
Rather than dying out after efforts to take down the Avalanche efforts, the gang seems to be increasing its efforts. "Avalanche attacks increased significantly in the third quarter of the year, and preliminary numbers indicate a possible doubling of attacks in the summer of 2009," the report says. The report period ends July 1, so the next report for the second half of this year will examine the apparent surge in detail.
Because the IP addresses that the attacks seem to be coming from are constantly shifting, notifying ISPs of the problem doesn't work. By the time the ISPs shut down the IP addresses the attack proxies have moved somewhere else, the report says.
The Avalanche gang registers domains at one to three registries or resellers and test whether the registrars notice that they are registering domain names that are nearly identical. If not, they launch attacks from these domains, and if the registrar takes action against them, they just abandon the domains and move on.
An example of these similar domains is given in the report: 11fjfhi.com, 11fjhj.com, 11fjfh1.com, 11 fjfhl.com. Each domain is used to launch up to 30 attacks, APWG says.
Avalanche attacks just one or two businesses at a time and frequently cycles back to re-attack older targets, the report says.
Because mitigation efforts by ISPs and others focused on Avalanche, the average lifetime of each Avalanche attack was significantly lower than the average for all attacks, the report says. The average uptime for all attacks was 39 hours, 11 minutes; for Avalanche attacks, it was 18 hours, 45 minutes, the study says.
APWG researchers consider an attack dead if it stays inactive for an hour. These attacks could be started up again after an hour, which would extend their longevity but would not be measured by the report, the researchers say. So the lifespan of Avalanche attacks may be longer than the report results indicate.
In other study results, it appears that using hacked domains as launch pads for attacks is increasing. Some 14.5% of phishing attacks came from what APWG called malicious domains registered by phishers themselves. That is down from 18.5% in the second half of last year, the period for the group's previous Global Phishing Survey. "Virtually all the rest were hacked or "compromised" domains belonging to innocent site owners," the study says.
Of the malicious domains, 43% were launchpads for the Avalanche attack.
Two top level domains - .pe (Peru) and .th (Thailand) – score highest in a measure of how many second and third level domains within them are used to launch phishing attacks. The average score across all domains was 6.9, and .pe scored 20 while .th scored 16.
Overall, attacks came from 30,131 domains distributed among 171 top level domains. Half (50.3%) of these domains fell within the .com top level domain, 8.5% within .net and 5.6 within .org. The next three most often used top level domains were .eu, .ru and .de, all with less than 3%.