Avalanche Gang Switches from Traditional Phishing to ZeuS

Security researchers warn that one of the world's largest phishing gangs, known in the security industry as Avalanche, is now relying on the infamous ZeuS trojan to steal sensitive data from users.

The announcement came from the Anti-Phishing Working Group (APWG), an international association of security vendors, financial organizations and law enforcement agencies, that aims to prevent identity theft and fraud resulting from phishing attacks.

The Avalanche gang is a large cybercriminal syndicate believed to operate out of Eastern Europe.

According to APWG's statistics, it was responsible for as much as two thirds of the phishing attacks recorded during the second half of 2009.

Since then the group seems to have scaled back their traditional phishing operations significantly in favor of the more efficient ZeuS information stealing trojan.

APWG reports that only four Avalanche-related phishing attacks were observed during July 2010, which is significantly lower than last year.

"While the cessation of phishing operations by the Avalanche phishing group is great news for the anti-phishing community, their shift to the nearly exclusive distribution of Zeus malware is an ominous development in the e-crime landscape," said Rod Rasmussen, co-author of the APWG Global Phishing Survey: Trends and Domain Name Use in 1H2010.

"Their spamming and other activities to target victims continues at high levels, implying they are finding malware distribution a more effective and profitable tactic than traditional phishing,” the researcher concludes.

Avalanche's new ZeuS distribution tactics involve sending fake emails that direct users to drive-by download websites hosted on its old phishing infrastructure.

These sites are capable of infecting computers without any interaction from their owners by exploiting vulnerabilities in outdated installations of popular applications like Java, Flash Player or Adobe Reader.

The rogue emails purport to come from taxation authorities like the IRS, as well as popular online services. There are indications that the gang rents portions of the Cutwail spam botnet in order to send them.