IN BRIEF: The Europol announced today it has annihilated a cybercrime group responsible for two-thirds of all phishing attacks worldwide. The law-enforcement sting known as “Operation Avalanche,” was carried out in a joint effort by law-enforcement authorities and cyber security researchers in 30 countries.

Operation Avalanche seized, sinkholed, or blocked over 800,000 domains which had been in operation in some form since late 2009. According to estimates by the Europol, the European Union's law enforcement agency, the Avalanche Network inflicted losses of hundreds of millions of dollars worldwide.

operation-avalanche-largest-botnet-network

Operation Avalanche Dismantles Largest Botnet Network

A Europol release on the operation provided more details, stating:

"[Five] individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked."

The Justice Department’s Office for the Western Federal District of Pennsylvania and the FBI’s Pittsburgh office led the US part of the operation. "The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network," the FBI and DOJ said in their joint statement.

During the past seven years, the criminal group conducted malware distribution, phishing and spam campaigns using the botnet infrastructure. Every week there were over a million malicious emails sent to people all around the world. Around 20 different malware families were hosted by the botnet infrastructure, among which were Cerber, GozNym, Dridex, Matsnu, URLZone, XSWKit, Teslacrypt, Marcher and Pandabanker.

Cybercrime Syndicate Responsible For Two-Thirds Of All Phishing Attacks

A report published by the Anti-Phishing Working Group, a consortium of cyber security firms, in 2010 said the Avalanche gang was responsible for two-thirds of all phishing attacks that took place in the second-half of 2009 (84,250 out of 126,697). The network targeted over 40 major financial institutions, job search providers, and online services. Around 959 distinct domains were in use for the mass global malware attacks and money mule recruiting campaigns.

Phishing messages sent through Avalanche’s botnet were spoofed emails from financial institutions, including HSBC and USAA (a bank largely serving US military and veterans). The botnet created domains faster than most, creating half its domains in less than 12 hours. The programmatic churning through domains is how it amassed more than 800,000 domains before it was taken down this week.

It all started in 2012, in Germany, where Symantec and the local police joined force to investigate different Trojans. They discovered two malware families which shared the network infrastructure. The malware infected millions of computers and harvested sensitive data such as email credentials, online banking and transferred money from the victims’ accounts. The loss is estimated at 6.5 million in Germany alone.

The Avalanche gang used a technique meant to delay and evade detection called double fast flux. There were a lot of changing IP addresses with one domain name.

Catalin Cosoi, Chief Security Researcher at Bitdefender, a Romanian-based company, who was a part of the investigation says Operation Avalanche is just a beginning of what would become a takedown of the largest crime syndicate in 2017.

Operation Avalanche was carried out by the FBI, Europol, Eurojust, the Public Prosecutor’s Office Verden and the Lüneburg Police (Germany) together with the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice, and cyber security companies.