Skip to main content

An Avalanche of Cybercrime Comes Down

by Dennis Fisher on Wednesday December 7, 2016

Contact Us
Free Demo

There are an unknowable number of significant organized cybercrime rings operating at any given time, so when one of them falls, it’s easy to gloss over it. But in recent days, law enforcement officials on two continents took down a group that was responsible for hundreds of millions of dollars in losses in the last couple of years and was operating one of the larger phishing and malware infrastructures ever seen.

The group, known as Avalanche, has been working in Europe and North America for some time and law enforcement officials say the gang was operating more than 800,000 malicious domains as part of its phishing campaigns. The crew was using more than 20 different malware families and had compromised hundreds of thousands of machines in the six years it’s known to have been active. Given their need for secrecy and the constantly shifting nature of their operations, there’s no real way to measure the size of cybercrime groups, but officials estimate that Avalanche is one of the larger groups ever to be taken down.

“Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime. The complex trans-national nature of cyber investigations requires international cooperation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this cooperation we can collectively make the internet a safer place for our businesses and citizens,” Rob Wainwright, director of Europol, one of the main agencies involved in the takedown, said.

The sheer size of the Avalanche operation is pretty staggering. Here are some of the numbers associated with the takedown:

  • 5 people arrested
  • 37 premises searched
  • 39 servers seized
  • Victims in 180 countries
  • 221 servers taken offline
  • 800,000 domains seized, sinkholed, or blocked

Aside from the scope of its operation, the Avalanche group also is notable for its use of a double fast-flux infrastructure, which it used to hide its servers and domains from investigators for years. Botnets and malware operations have been using fast flux DNS techniques for several years now as a way of hiding the actual location of their servers. The Avalanche crew was using a modified version of this tactic that involved hundreds or thousands of servers quickly registering and dropping out of a DNS record server list for a specific DNS zone. The idea is to keep investigators and security researchers guessing by quickly changing the IP address associated with a given domain.

In the case of Avalanche, the tactic worked quite well and for a very long time. Most cybercrime groups don’t have anywhere near the longevity of this one. Groups often fall to internal disagreements or make sloppy mistakes that bring them to the attention of law enforcement long before they can establish the kind of infrastructure and scope that Avalanche had. In this case, law enforcement caught on to the group several years ago thanks to a huge ransomware attack attributed to the Avalanche operators.

But even after becoming aware of the group’s operations, it took law enforcement years of investigative work and cooperation among agencies in 30 countries to take down Avalanche. That long-term work and perspective is what’s often been missing in cybercrime investigations, so it’s encouraging to see an operation like this succeed.

Tags:  Cybercrime

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.