ICANN Situation Awareness Note 2009-10-06 High volume criminal phishing attack known as Avalanche the delivery method for the Zeus botnet infector | Zeus downloads and phishing currently targeting financial institutions and services through use of the DNS and fast flux techniques
The pattern seen with Avalanche involves targeting one to three registrars/domain name resellers for the bulk of an attack set, but also targeting a small number of other providers to test their suitability for future attacks. Once the provider(s) carrying the majority of the domain names starts to actively take down sites and implement other security procedures discussed below, Avalanche will move on to one or two of the previously tested providers, depending on the results of their previous tests.
When a registrar comes under attack by the Avalanche, its abuse team will likely receive many takedown requests and follow up contacts from the targeted banks/on-line service providers and their security companies, such as BrandProtect, Cyveillance, Mark Monitor, Internet Identity, and RSA. Given how many banks are being attacked at once, these contacts may result in overwhelming incoming communications which can cause a lot of unnecessary work for your legal, support and abuse team. Typically, each domain has been registered with stolen credit card credentials and will likely lead to dozens of stop payment or charge backs.
Phishing sites on Avalanche domains are targeting commercial banking platforms of over 30 financial institutions, major on-line services such as the US Internal Revenue Service, job search providers, and major pop culture as a means of conducting financial fraud for several months.
Recommended remediation
If you see the pattern of fast flux plus use of random letters and numbers in the domain names, you should investigate immediately and suspend any of those domains found to be conducting fraudulent activity.
Be attentive to abuse reporting and respond quickly. Avalanche will continue to abuse your registration service to enable malicious activity until you block their registrations or suspend them quickly.
Registrars are also encouraged to consider and implement measures that harden their service against abuse, to include
- Adopting policies and procedures enacted to suspend domain names within 24 hours of registration
- Strengthening account sign-up and initial domain registration certification requirements to reduce registration and credit card fraud
See article "Dominant Threat Tactic: Avalanche" in the Phishing Trends Report, Second Quarter 2009 for more related information at: http://www.internetidentity.com/news
Questions, comments and reporting regarding this situation awareness
ICANN Security Team
Yurie Ito: yurie.ito@icann.org