Sunday, October 31, 2010

Avalanche Gang: The Ultimate Bank Robbers?

From ZDNet ...

This time last year it was being reported that the Avalanche Gang was responsible for around a two thirds of all phishing attacks on the Internet. But Avalanche, described at the time as being "one of the most sophisticated and damaging on the Internet" by the Anti-Phishing Working Group (APWG) was only responsible for a paltry four conventional phishing attacks during the month of July 2010. Which you might think is good news, and it would be were it not for the fact that the Avalanche Gang has not hung up its spurs and given up cyber crime.

At the tail end of last year ZDNet UK reported that the Avalanche Gang, named after the botnet it employs, was collaborating with the people behind the Zeus botnet. Back then, in December 2009, Vincent Hanna who was employed as an investigator for the Spamhaus Project told ZDNet UK that the gangs behind Avalanche and Zeus were using each other's infrastructure on a purely commercial basis: "We see that the same viruses are emitting mails that benefit [the] different groups, either through spammed URLs or attached malware."

Fast forward to now, and it looks like the Avalanche Gang has completed its transition from conventional phishing and spam outfit to the world's biggest bank robbers. According to the latest APWG research, Avalanche has "moved from using conventional phishing to massively propagating stealthy password-stealing crimeware that does not require user cooperation to surrender financial account credentials."

The Avalanche Gang has been slowly ramping up a concerted campaign of crimeware propagation in order to con victims into getting infected by Zeus. Well, I say slowly, but everything is relative: according to the APWG research Avalanche has been sending billions of faked messages from tax authorities, false alerts/updates purporting to be from popular social networking sites, and other scams designed to deliver marks to drive-by download sites.

I have heard nothing to suggest that there is any evidence that Operation Trident Breach, an international effort involving the FBI and the Metropolitan Police as well as other law enforcement agencies around the world and which has so far led to the arrest of 150 people involved with the Zeus operation, has actually led to any arrests of Avalanche Gang members.

As Rod Rasmussen, co-author of the APWG research report, says: "Their spamming and other activities to target victims continues at high levels, implying they are finding malware distribution a more effective and profitable tactic than traditional phishing." With Zeus being responsible for hundreds of millions of pounds worth of theft to date, and no Avalanche arrests making the headlines, that would make the Avalanche Gang the most successful bank robbers in history.


Erin Booth said...

The Avalanche Gang is able to bypass user cooperation and rob individual bank accounts, making them one of the biggest bank robbers in the world. While this is unsettling, the fact they can do this so easily and without getting caught is even more disturbing. ZDNet said that there is nothing to suggest that any Avalanche Gang members have been arrested. While law enforcement agencies are aware of the success of the Avalanche botnet, they have been futile at stopping them, clearly elucidating the gaping hole in law enforcement’s ability to stop cyber criminals. The problem is that Internet technology and software is constantly changing, and criminals can adapt quicker than law enforcement agencies can stop them. We need to begin to figure out alternative methods of stopping cyber criminals, because the current systems in place falls too short.

Patrick Gordon said...

I agree with what Erin said. It's an failure of agencies/task forces/etc. to implement institutional change. It's interesting to look at the way the "criminal" has developed over time through the lens of the Avalanche Gang or any network of cyber-thieves. For the last twenty or so years, there has been much talk among policy makers and law enforcement over the arrival and dominance of the non-state actor in various scenarios. Gone from dominance are the massive state vs. state campaigns, just like the average criminal physically walking into a bank and holding up the teller. Ok, perhaps too much exaggeration. But there is a definite fluctuation of who the "criminal" is. Much of the concentration on non-state actors (think al-Qaeda, Lord's Resistance Army, etc.) has also led policymakers to overlook a group that has splintered off from non-state actors - and that is the cyber-thief. Far from even formally acknowledging the rising occurrence of this new non-state actor, law enforcement believes it can necessarily track them through good ol' fashioned detective work (looking for a fingerprint, surveillance tapes). This is the real victory of cyber criminals. Regardless of the sum of money they are making (which is stunning nonetheless), they have managed to grow surreptitiously and exponentially, with little effort, all the while letting law enforcement/policymakers fool themselves into believing either (A) the emergence/propagation of the cyber-thief is not as serious as people make it out to be (or, perhaps the lesser of two evils) or (B) that when they decide to go after them, they can do just fine using the same time-trusted crime-fighting methods.

David Hernandez said...

In the span of just a little over a year, the Avalanche Gang has become "the world's biggest bank robbers". This disturbing problem only sheds light on how unsafe the internet continues to become through its rapid growth and due to the fact that cyber criminals seem to be becoming more and more successful. This, as Erin and Patrick mentioned is partly the fault of agencies who fail to make the cyber world a safer environment by stopping such criminals. Then again to what extent can these agencies actually implement these safety methods without infringing on the privacy of others. It seems to me that even though this problem continues to grow, enforcement agencies will do little or nothing to stop it. It's easier to watch a problem from the sidelines than to be amidst an ongoing issue that will take so much time to fix, that by then another problem regarding cyber criminals will arise.

Paloma B said...

The stereotype of a person in a gang would be a big, buff, relatively unintelligent male. His reasons for being in a gang would be for a sense of belonging and protection and the gains normally would not be very substantial (territorial sometimes). This new brand of gang however, seems far scarier a group to me than those old-school thugs on the street. Under the new definition, a member of a cybergang could be male or female of any build, and for the most part of relatively high intelligence. Their main motivators are financially based, and they're stealing from the least suspective of us. I find it immensely disconcerting that there have been 150 arrests according to the article and the cybergangs still have not fallen: this just speaks for their sheer numbers and uncanny organization.

I agree with Erin's assertion that the current laws against cyber crime are simply insufficient and the fact that they seem to perform these bank thefts with such ease just infuriates me even more. If the government is taking steps to cut down on my privacy as an Internet user, then I expect to see more results. I know that this will take time and yet with the increasing talks about the Internet and its capabilities as a tool that can be used against the user, I would hope that the government would take steps in keeping with the times. Where there are cyber gangs there should be a proportional amount of cyber police, and where there is cyber crime there should be a measure of punishment for the damage caused. When such a system is in place, then there will be more peace and security on the Internet and less need to recriminate the privacy of regular Internet users conducting reasonably acceptable activities.