UK helps dismantle Avalanche global cyber network sending 1m fraudulent emails a week

1 Dec 2016

A cloud-computing network used by cyber fraudsters to target one million users every week with malware-infected emails has been taken down by law enforcement agencies from more than 30 countries.

The operation to dismantle the Avalanche cloud-hosting service was led by Europol, the FBI and German police and supported by partners from 30 countries including the National Crime Agency (NCA). It followed a four-year investigation by the German police.

The cost to the global economy from fraud linked to Avalanche is estimated to have run to hundreds of millions of dollars.

In a single day of coordinated action, more than 830,000 malicious web domains were taken down, breaking the channel between criminals and the computers they controlled.

In addition, five individuals were arrested, 37 premises were searched and 39 servers were seized, while 221 servers were put offline through abuse notifications sent to the hosting providers. Victims of malware were identified in over 180 countries.

The removal of criminal control provides victims, many of whom will not know their machine is infected, with an opportunity to scan, disinfect and protect their computer against further attack from the criminal groups.

Avalanche, which was set up in 2009, comprised up to 600 servers worldwide and was used to host as many as 800,000 web domains at a time.

Cyber criminals rented the servers and through them launched and managed digital fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software that would steal users’ bank details and other personal data.

The criminals used the stolen information for fraud or extortion. At its peak 17 different types of malware were hosted by the network, including major strains with names such as goznym, urlzone, pandabanker and loosemailsniffer.

At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.

Yesterday NCA officers took down the 2,210 Avalanche domains which had a .uk address. Mike Hulett, of the NCA’s National Cyber Crime Unit, said: “The volume of fraudulent activity made possible by Avalanche was incredible. But the scale of the global law enforcement response was unprecedented as 20 strains of malware and 800,000 domains were targeted on one day. This shows how serious we are about tackling cyber crime. The internet isn’t a safe haven for criminals.

“Unfortunately taking down Avalanche doesn’t clean computers already infected with malware, so while the criminals are scrabbling around inevitably trying to rebuild their operations computer users should use this window to install anti-virus software and make sure they’re protected..”

The tools at the following links will safely scan your computer for malware, remove it and offer protection in future:

Trend Micro

ESET Online Scanner 


McAfee Stinger

Microsoft Safety Scanner

Norton Power Eraser

The Government’s Cyber Aware website provides information on how to stay safe online.

You can report fraud and cyber crime to Action Fraud online or by speaking to a specialist fraud and cyber crime adviser on 0300 123 2040.

Why Avalanche was popular and how it worked:

Criminals paid for access to the Avalanche network and through it could select and manage criminal services, such as malware, ransomware, money mule and phishing campaigns.

Fraudulent emails sent to computer users contained either malicious attachments - which directly downloaded malware onto the computer - or links that, when clicked, connected the user’s computer to web domains which infected the computer.

Once infected, a computer would be controlled remotely, send information to criminals, or both. A criminal with control of a network of infected computers, a so-called botnet, could send out high volumes of fraudulent email or massive amounts of traffic to websites in order to shut them down.

Avalanche was attractive to cyber criminals because it used a so-called double fast-flux network to defend itself from disruption and identification.

Computers connected to the internet match domain names (e.g. to a location identified by an IP address, which tells the user’s computer where that domain is located. A domain is usually fixed to one IP address for a long period of time.

The technique known as fast flux involves automatically and frequently changing the IP address records associated with a domain name.

Double Fast Flux changes both the IP address records and a component called a name server that is used to match the IP addresses and domain. This makes it difficult to understand a computer network and so to disrupt it.

Malware campaigns that were distributed through this network include goznym marcher, matsnu, nymaim, urlzone, virut, xswkit, pandabanker, rovnix, teslacrypt, kbot, ranbyus, vm zeus, kins, CoreBot, Dofoil, GOZI2, Slempo, Trusteer App and Vawtrack.

Despite the use of double fast-flux, German police, with help from the NCA and other international partners, were eventually able to identify the infrastructure that lay behind the malware campaigns.

One tactic used against the network was sinkholing, in which traffic passing between infected computers and Avalanche was directed to servers monitored by law enforcement. This meant the criminals no longer controlled the computers they had infected and that victims could be identified so that fixes, known as patches, could be applied.

The sinkholing operation was the largest ever conducted by law enforcement, with 800,000 domains targeted.

Share this Page: