Avalanche

Avalanche was a prolific cybercriminal phishing gang and the infrastructure it used to host phishing sites. Security researchers described it as the world’s most prolific phishing gang, responsible for roughly two-thirds of global phishing attacks in the second half of 2009, with more than 84,000 attacks tracked by APWG. The group first appeared in late 2008 and dominated phishing activity for more than a year. Avalanche used automated tooling to mass-produce phishing sites, spam lures, fake websites, fast-flux hosting, botnet-proxied traffic, and spoofed sites to steal credentials and distribute crimeware, particularly the Zeus banking Trojan. Reporting cited campaigns themed around the IRS and bank certificates, and said the group targeted about 40 banks and online service providers, as well as small and midsized businesses. Victims suffered theft of banking credentials and fraudulent ACH and wire transfers, with criminals impersonating employees and moving funds overseas. APWG reporting stated that by 2010 Avalanche had largely shifted resources away from traditional phishing toward distributing Zeus variants. Separate reporting on the Avalanche botnet described it as active since 2009 and used as resilient double-fast-flux infrastructure for malware distribution, money muling schemes, and fast-flux communications for other botnets. Law enforcement and government reporting linked Avalanche infrastructure to 17 major malware families, including TeslaCrypt, Nymaim, Rovnix, Qbot, Matsnu, URLzone, Citadel, Dridex, Vawtrak, Pandabanker, GOZeuS, VM-ZeuS, Ransomlock, Bebloh, and others. Europol said the botnet caused hundreds of millions of dollars in losses worldwide and about EUR 6 million to the German banking sector. In 2016, an international operation led by German authorities with support from Europol, Eurojust, the FBI, the U.S. Department of Justice, BSI, and partners from more than 40 countries disrupted Avalanche through arrests and large-scale sinkholing, seizure, and blocking of approximately 800,000 domains. The content also notes some researchers believed Avalanche may have been operated from an Eastern European country, but this attribution is presented as belief rather than confirmed fact. Known alias in the provided content: Avalanche.