Skip to main content

ICANN Situation Awareness Note 2009-10-06 High volume criminal phishing attack known as Avalanche the delivery method for the Zeus botnet infector | Zeus downloads and phishing currently targeting financial institutions and services through use of the DNS and fast flux techniques

The pattern seen with Avalanche involves targeting one to three registrars/domain name resellers for the bulk of an attack set, but also targeting a small number of other providers to test their suitability for future attacks. Once the provider(s) carrying the majority of the domain names starts to actively take down sites and implement other security procedures discussed below, Avalanche will move on to one or two of the previously tested providers, depending on the results of their previous tests.

When a registrar comes under attack by the Avalanche, its abuse team will likely receive many takedown requests and follow up contacts from the targeted banks/on-line service providers and their security companies, such as BrandProtect, Cyveillance, Mark Monitor, Internet Identity, and RSA.  Given how many banks are being attacked at once, these contacts may result in overwhelming incoming communications which can cause a lot of unnecessary work for your legal, support and abuse team. Typically, each domain has been registered with stolen credit card credentials and will likely lead to dozens of stop payment or charge backs.

Phishing sites on Avalanche domains are targeting commercial banking platforms of over 30 financial institutions, major on-line services such as the US Internal Revenue Service, job search providers, and major pop culture as a means of conducting financial fraud for several months.

Recommended remediation

If you see the pattern of fast flux plus use of random letters and numbers in the domain names, you should investigate immediately and suspend any of those domains found to be conducting fraudulent activity.

Be attentive to abuse reporting and respond quickly. Avalanche will continue to abuse your registration service to enable malicious activity until you block their registrations or suspend them quickly.

Registrars are also encouraged to consider and implement measures that harden their service against abuse, to include

  • Adopting policies and procedures enacted to suspend domain names within 24 hours of registration
  • Strengthening account sign-up and initial domain registration certification requirements to reduce registration and credit card fraud

See article "Dominant Threat Tactic:  Avalanche" in the Phishing Trends Report, Second Quarter 2009 for more related information at:

Questions, comments and reporting regarding this situation awareness

ICANN Security Team
Yurie Ito:

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."