Major cybercrime network Avalanche dismantled in global takedown

The Avalanche network used 500,000 infected computers to launch phishing email attacks

Law enforcement agencies have arrested five suspects allegedly involved with the Avalanche network.
Credit: Michael Kan

Law enforcement agencies have dismantled a major cybercriminal network responsible for malware-based attacks that have been harassing victims across the globe for years.

The network, called Avalanche, operated as many as 500,000 infected computers on a daily basis and was responsible for delivering malware through phishing email attacks. Avalanche has been active since at least 2009, but on Thursday, authorities in the U.S. and Europe announced they had arrested five suspects allegedly involved with it.

Avalanche has been found distributing more 20 different malware families including GozNym, a banking Trojan designed to steal user credentials, and Teslacrypt, a notorious ransomware. Europol estimated the network has caused hundreds of millions of dollars in damages across the world.

To shut down Avalanche, law enforcement agencies embarked on an investigation that lasted longer than four years and involved agents and prosecutors in more than 40 countries, according to the U.S. Department of Justice.

Europol said 39 servers supporting Avalanche were seized, and another 221 were forced offline with notifications sent to their hosting providers. Investigators used a method known as sinkholing to infiltrate the cybercriminal’s computer infrastructure and disrupt its activities. This involved redirecting the internet traffic from Avalanche's infected computers to servers controlled by law enforcement.  

"The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale," Europol said in a statement.

The U.K.'s National Crime Agency also said 830,000 malicious web domains connected to Avalanche’s activities had been taken down.

Avalanche was found sending more than 1 million emails with malicious attachments or links every week to unsuspecting victims. The malware managed to infect users in more than 180 countries.

To avoid being shut down, Avalanche resorted to a technique called double fast flux to automatically change the IP address records with the domain names it used.

Investigators also said Avalanche ran one of the largest known botnets in the world. By infecting thousands of computers, the network could easily control them to send out massive amounts of spam.

"Criminals paid for access to the Avalanche network and through it could select and manage criminal services, such as malware, ransomware, money mule, and phishing campaigns,"  the U.K.'s National Crime Agency said.

Law enforcement agencies are encouraging users to scan their computers with free tools to remove any infections that may have come from Avalanche. Security firm Bitdefender said that even though the criminal network has been dismantled, the leftover malware on infected computers can still hog system resources and disrupt a user's internet access.

Related:
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon