Anti-Phishing Group Posts Intriguing Report


The APWG (Anti-Phishing Work Group) recently held its Counter Crime Operations Summit (CeCOS) in São Paulo, Brazil on May 11-13th, 2010. Over the years, the APWG has held its conferences in different countries reflecting the internationalism of this type of fighting cybercrime (phishing spam). The next conference of the APWG is the eCrime Researchers Summit in Dallas, Texas in October 2010.

The admirable reporting by the (Brazilian CERT team) and other Brazilian Incident Response teams deserves a mention because they appear to be among the most proactive of Incident Response teams worldwide  in reporting phishing, malware and other types of internet abuse incidents to various ISPs world-wide.  Brazilian-related cybercrime gets more attention because of such strong efforts than cybercrime related to other countries such as China or Russia (countries mentioned with a large online presence) because of this important task at hand.

Global Phishing Survey

In May 2010, APWG researchers Greg Aaron and Rod Rasmussen published this report  Global Phishing Survey: Domain Name Use and Trends in 2H2009 about Avalanche phishing group making up two thirds of all phishing attacks based on data collected in the second half of 2009.

Subdomain Abuse on Free Webhosters

The Global Phishing Survey gives a very detailed view of phishing site attacks based on TLD (top level domains) and compromised phishing sites that were reported. The detailed report also noted free hosting subdomain services that were abused by phishers as it compiled a top 20 offender list on page 20 of the APWG report.  These free subdomain services are not doing enough to minimize fraudulent signups. It would appear that cybercriminals flock to such sites in droves to defraud others, even if the reaction is whack-a-mole.  The typical approach is the scams are reported after their spam run, then the hoster shuts them down.

The number one offender of phishing sites on subdomains was which is hosted in the US by the webhoster of New Jersey; (’s A record is on / AS19318).  Other failures to curb phishing sign-ups to note in the top 5:,, and

Avalanche Phishing and ZeuS botnet

The 33 page report provides detail as to the reported phishing website trends as of the second half of 2009.  Avalanche is the current name for fast flux DNS of phishing site hosting on large botnets, which involved many fraudulent domain name sign ups with unresponsive registrars worldw ide and spoofs of many brands. This large phishing organization (2006-2008) had been dubbed Rockphish due to the patterns found in folder names. At that time, the rockphish group was quite successful in stealing millions of dollars.

This newer group, now called Avalanche, uses similar techniques to that of the Rockphish. The Avalanche group is also making use of the ZeuS botnet to steal banking information from users who download the malware they received via spam. Current ZeuS botnet statistics found online can be found on the ZeuS Botnet Tracker.

According to the APWG report, compromised phishing attacks are still very plentiful, and tend to stay online longer than the lifespan of the fast flux Avalanche botnet phishing sites.

It is very hard to say if the groups behind this large phishing enterprise will be caught and prosecuted, but at the time of this post, their activity appears to be still going strong based on the reports referenced here by APWG. It is worth noting that continued international cooperation amongst law enforcement, private industry, independent researchers, academics and governments against cybercrime is truly a must to stem the problem of cybercrime in general. Other efforts matter as well, but international cooperation is probably the most important aspect to fighting online crime. International efforts such as APWG are commendable.

Selected Media References:

Ars Technica:  Phishing servers being killed off faster than ever

Network World: Worst phishing menace may be prepping more dangerous version of itself

One Response to “Anti-Phishing Group Posts Intriguing Report”

  1. 1 Tweets that mention Anti-Phishing Group Posts Intriguing Report « Inboxrevenge's Twitter Blog --

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: