IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

What does coordinated Phishing attacks mean to your organization?

May 28th, 2010 · No Comments

A report released this month has identified one single group that is responsible for 2/3 of ALL global phishing attacks.  This is a tremendous task and requires a exceedingly large amount of sophistication.  A telling quote from the report (available here) gives a bit of background:

Central to Avalanche’s success is its use of fast-flux botnets to host phishing sites. The use of peer-to-peer communications makes it impossible for a single ISP or hosting provider to to pull the plug on the infrastructure. The gang also excels at launching attacks from a relatively small number of domain names that often appear confusingly identical to each other, such as and Those abilities also fuel the success.
There were 126,697 phishing attacks during the second half of 2009, more than double the number in the first half of the year or from July through December of 2008, the APWG report said. Avalanche, which was first identified in December of 2008, was responsible for 24 percent of phishing attacks in the first half of 2009 and for 66 percent in the second half. From July through the end of the year, Avalanche targeted the more than 40 major financial institutions, online services, and job search providers.

In addition, the domains / IP addresses hosting these malicious sites break down in the following manner (demonstrating how important global controls are important):

Of the 28,775 phishing domains, we identified 6,372 that we believe were registered maliciously, by the phishers. Of those, 4,141 (66%) were registered by Avalanche. Virtually all of the other 22,403 domains were hacked or compromised on vulnerable Web hosting. Malicious registrations apparently took place in just 51 TLDs.

The takeaways here are the following (please comment on other perspectives):

  1. By centralizing / controlling the Phishing attacks Avalanche is gaining rapid knowledge of target infrastructures; security defenses; and massive amounts of intellectual property that can be re-deployed in future attacks against other parties (or for sale).
  2. Expansion of these attacks resulting from the accumulation of such knowledge combined with the 700 million + records of sensitive data on consumers creates the opportunity for a massive spear-phishing campaign
  3. The leveraging of dynamic hosts and botnets is introducing a frontier whereby we can no longer have black lists / white lists as a simple solution.  In addition, the idea of perimeter defenses and trusted site-to-site open VPNs is drawn into question.

The evolution of these attacks is expanding, as the evolution of worms demonstrated.  Malware artists generally go from proof of concept -> proof of distribution -> proof of non-detection -> proof of percision.  It is the crossing from distribution to non-detection and then precision that has the highest rewards for attackers.  Safeguards for companies should consider social approaches.  People are the target here, and technology cannot block every attack.  Organizations could consider process and people as their main line of defense.  This in partnership with mature detection and response capabilities will limit the impact of any embedded threat.


James DeLuccia

Tags: Uncategorized

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment