Avalanche, a network of servers believed to be used to mount two-thirds of all phishing attacks worldwide, has been taken offline following a major coordinated effort by police groups and security firms.
It is understood that more than 50 Avalanche servers worldwide were taken offline.
Law enforcement officers seized command and control servers and took over more than 800,000 internet domains that were used by Avalanche.
Avalanche is understood to have served up two-thirds of the world’s phishing attacks, and at least 17 different malware families since 2009.
‘Avalanche caused an estimated €6m in damages in concentrated cyberattacks on online banking systems in Germany alone’
Europol said the sting operation involved more than four years of investigations involving the public prosecutor’s office in Verden, the Lüneburg police in Germany, the US attorney’s office for the western district of Pennsylvania, the US department of justice, Europol, FBI, Eurojust and various global security partners.
In all, it involved prosecutors in 30 countries.
As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized.
Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers.
The criminal groups have been using the Avalanche infrastructure since 2009 for conducting malware, phishing and spam activities. They sent more than 1m emails with damaging attachments or links every week to unsuspecting victims.
“Today marks a significant moment in the fight against serious organised cybercrime, and exemplifies the practical and strategic importance of Eurojust in fostering international cooperation,” said Michèle Coninsx, president of Eurojust.
“Together with the German and US authorities, our EU and international partners, and with support from Eurojust and EC3; Avalanche, one of the world’s largest and most malicious botnet infrastructures, has been decisively neutralised in one of the biggest takedowns to date.”
Down the sinkhole
Europol said the operation marks the largest ever use of sinkholing to combat botnet infrastructures, with over 800,000 domains seized, sinkholed or blocked.
Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company.
“The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns,” Europol said.
“It has caused an estimated €6m in damages in concentrated cyberattacks on online banking systems in Germany alone.”
The US department of justice said the scale of the operation was unprecedented in cyber law enforcement history and marks a new turning point in the war on cybercrime. “The operation involves an unprecedented and ongoing effort to seize, block and sinkhole more than 800,000 malicious domains associated with the Avalanche network,” it said.
“The Avalanche network, which has been operating since at least 2010, is estimated to involve hundreds of thousands of infected computers worldwide. The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,” according to the US department of justice.