lolloj - Fotolia

UK helps dismantle Avalanche global cyber network

The UK's National Crime Agency has contributed to the takedown of a cloud-based cyber crime network in a collaborative law enforcement operation involving 30 countries

The UK is among 30 countries that contributed to the dismantling of a cloud-computing network used by cyber fraudsters to target one million users every week with malware-infected emails.

The operation was led by Europol, the FBI and German police and supported by 30 law enforcement partners, including the UK’s National Crime Agency (NCA).

Europol hosted a command post at its headquarters in The Hague. From there, representatives of the involved countries worked together with Europol’s European Cybercrime Centre (EC3) and Eurojust officials to ensure the success of such a large-scale operation.

The operation followed a four-year investigation by the German police into the fraud linked to Avalanche that affected victims in 180 countries and is estimated to have run to hundreds of millions of dollars.

In a single day of co-ordinated action, more than 830,000 malicious web domains were taken down and communications blocked between criminals and the computers they controlled.

Five people were arrested, 37 premises were searched and 39 servers were seized, while 221 servers were put offline through abuse notifications sent to the hosting providers.

The removal of criminal control provides victims, many of whom will not know their machine is infected, with an opportunity to scan, disinfect and protect their computer against further attack.

Rob Wainwright, Europol director, said Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime.

Making the internet a safer place

“The complex trans-national nature of cyber investigations requires international co-operation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this co-operation we can collectively make the internet a safer place for our businesses and citizens,” he said.

Avalanche, which was set up in 2009, used up to 600 servers worldwide to host as many as 800,000 web domains at a time.

Cyber criminals rented the servers to launch and manage fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software to steal users’ bank details and other personal data for fraud or extortion.

Read more about cyber crime

At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.

The Avalanche network also enabled cyber criminals to select and manage other services, including botnets, denial of service attacks, money mule services and phishing campaigns.

Malware campaigns that were distributed through this network include goznym marcher, matsnu, nymaim, urlzone, virut, xswkit, pandabanker, rovnix, teslacrypt, kbot, ranbyus, vm zeus and Vawtrack.

Avalanche was attractive to cyber criminals because it used a so-called double fast-flux network to defend itself from disruption and identification.

Computers connected to the internet match domain names such as to a location identified by an IP address, which tells the user’s computer where that domain is located.

A domain is usually fixed to one IP address for a long period of time, but the technique known as fast flux involves automatically and frequently changing the IP address records associated with a domain name.

Hulett said tools to scan computers for malware, remove it and offer protection in future can be found at:

Double Fast Flux changes both the IP address records and a component called a name server that is used to match the IP addresses and domain, making it difficult to understand and disrupt a network.

Despite the use of double fast-flux, German police, with help from the NCA and other international partners, were eventually able to identify the infrastructure that lay behind the malware campaigns.

One tactic used against the network was sinkholing, in which traffic passing between infected computers and Avalanche was directed to servers monitored by law enforcement. This meant the criminals no longer controlled the computers they had infected and that victims could be identified so that fixes could be applied.

NCA officers took down the 2,210 Avalanche domains which had a .uk address. “The volume of fraudulent activity made possible by Avalanche was incredible,” said Mike Hulett of the NCA’s National Cyber Crime Unit.

“But the scale of the global law enforcement response was unprecedented, as 20 strains of malware and 800,000 domains were targeted on one day. This shows how serious we are about tackling cyber crime. The internet isn’t a safe haven for criminals.

“Unfortunately, taking down Avalanche doesn’t clean computers already infected with malware, so while the criminals are trying to rebuild their operations, computer users should use this window to install antivirus software and make sure they’re protected,” he said.

Read more on Hackers and cybercrime prevention