A large group of law enforcement officials, security researchers, registrars, and others have dismantled a huge malware, phishing, and cybercrime network known as Avalanche, taking down more than 800,000 domains in the process.
The operation, which was a collaborative effort by Europol, the FBI, German police, and security groups, resulted in five arrests and the seizure of 39 servers in various countries. Officials say the Avalanche crew and its infrastructure was distributed around the world and estimated that damages from the group’s activities were in the hundreds of millions of Euros. The group conducted spam, phishing, and malware attacks using a wide variety of malware strains and tactics.
“The Avalanche network, which has been operating since at least 2010, is estimated to involve hundreds of thousands of infected computers worldwide. The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,” the Department of Justice said in a statement.
Investigators began looking at the Avalanche infrastructure in 2012 after a widespread ransomware attack that was attributed to the group. Many victims also were infected with banker malware that stole banking credentials and other private data. Like many cybercrime crews, Avalanche used money mules to cash out their profits and layers of personnel to handle specific tasks in an effort to avoid detection. The group also employed technical methods to attempts to confuse law enforcement and security researchers.
“The loss of some of the network’s components was avoided with the help of its sophisticated infrastructure, by redistributing the tasks of disrupted components to still-active computer servers. The Avalanche network was estimated to involve as many as 500,000 infected computers worldwide on a daily basis,” Europol said in a statement.
“What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.”
The group used more than 20 malware families over the years, and officials said the group is a model for modern cybercrime groups, which often have members in several countries and use division of labor and compartmentalization.
“Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime. The complex trans-national nature of cyber investigations requires international cooperation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this cooperation we can collectively make the internet a safer place for our businesses and citizens,” said Europol Director Ron Wainwright.
Image: Paul Downey, CC By 2.0 license.