lolloj - Fotolia
The UK is among 30 countries that contributed to the dismantling of a cloud-computing network used by cyber fraudsters to target one million users every week with malware-infected emails.
The operation was led by Europol, the FBI and German police and supported by 30 law enforcement partners, including the UK’s National Crime Agency (NCA).
Europol hosted a command post at its headquarters in The Hague. From there, representatives of the involved countries worked together with Europol’s European Cybercrime Centre (EC3) and Eurojust officials to ensure the success of such a large-scale operation.
The operation followed a four-year investigation by the German police into the fraud linked to Avalanche that affected victims in 180 countries and is estimated to have run to hundreds of millions of dollars.
In a single day of co-ordinated action, more than 830,000 malicious web domains were taken down and communications blocked between criminals and the computers they controlled.
Five people were arrested, 37 premises were searched and 39 servers were seized, while 221 servers were put offline through abuse notifications sent to the hosting providers.
The removal of criminal control provides victims, many of whom will not know their machine is infected, with an opportunity to scan, disinfect and protect their computer against further attack.
Rob Wainwright, Europol director, said Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime.
Making the internet a safer place
“The complex trans-national nature of cyber investigations requires international co-operation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this co-operation we can collectively make the internet a safer place for our businesses and citizens,” he said.
Avalanche, which was set up in 2009, used up to 600 servers worldwide to host as many as 800,000 web domains at a time.
Cyber criminals rented the servers to launch and manage fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software to steal users’ bank details and other personal data for fraud or extortion.
Read more about cyber crime
- A majority of businesses do not comprehend the methods and motivations of cyber attackers or fully understand the scale of the threat, a BT-KPMG report reveals.
- More than half of UK organisations say they expect to be the victim of cyber crime in the next two years, suggesting it will become the UK’s largest economic crime, says a PwC report.
- UK ranks highly in phishing, social media and ransomware attacks as cyber criminals professionalise and take advantage of unpatched websites.
At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.
Malware campaigns that were distributed through this network include goznym marcher, matsnu, nymaim, urlzone, virut, xswkit, pandabanker, rovnix, teslacrypt, kbot, ranbyus, vm zeus and Vawtrack.
Avalanche was attractive to cyber criminals because it used a so-called double fast-flux network to defend itself from disruption and identification.
Computers connected to the internet match domain names such as computerweekly.com to a location identified by an IP address, which tells the user’s computer where that domain is located.
A domain is usually fixed to one IP address for a long period of time, but the technique known as fast flux involves automatically and frequently changing the IP address records associated with a domain name.
Double Fast Flux changes both the IP address records and a component called a name server that is used to match the IP addresses and domain, making it difficult to understand and disrupt a network.
Despite the use of double fast-flux, German police, with help from the NCA and other international partners, were eventually able to identify the infrastructure that lay behind the malware campaigns.
One tactic used against the network was sinkholing, in which traffic passing between infected computers and Avalanche was directed to servers monitored by law enforcement. This meant the criminals no longer controlled the computers they had infected and that victims could be identified so that fixes could be applied.
NCA officers took down the 2,210 Avalanche domains which had a .uk address. “The volume of fraudulent activity made possible by Avalanche was incredible,” said Mike Hulett of the NCA’s National Cyber Crime Unit.
“But the scale of the global law enforcement response was unprecedented, as 20 strains of malware and 800,000 domains were targeted on one day. This shows how serious we are about tackling cyber crime. The internet isn’t a safe haven for criminals.
“Unfortunately, taking down Avalanche doesn’t clean computers already infected with malware, so while the criminals are trying to rebuild their operations, computer users should use this window to install antivirus software and make sure they’re protected,” he said.