The world’s most prolific phishing gang has completed a transition from using conventional phishing to massively propagating stealthy password-stealing crimeware that does not require user cooperation to surrender financial account credentials, according to a report by APWG.

While the Avalanche botnet infrastructure had been used to launch conventional spam-based phishing attacks over the past two years, the phishing has been replaced with a scheme that infects users’ PCs with the potent Zeus Trojan, a powerful banking credential-stealing malware.

The phishing syndicate had been successfully using the Avalanche botnet for conventional spam-based phishing attacks that provoke a user to visit a counterfeit website and enter or his or her credentials. This Avalanche phishing accounted for two-thirds of all phishing attacks observed worldwide in the second in late 2009.

But the Avalanche infrastructure was involved in just four conventional phishing attacks in the month of July 2010. Instead, the Avalanche-based syndicate ramped up a concerted campaign of crimeware propagation to fool victims into receiving the Zeus crimeware and infecting their PCs with it.

Avalanche has been sending billions of faked messages from tax authorities such as the IRS, false alerts/updates purporting to be from popular social networking sites, and other lures. These lures take victims to drive-by download sites, where the criminals infect vulnerable machines.

Once a machine is infected, the criminals can remotely access it, steal the personal information stored on it, and intercept passwords and online transactions. The criminals can even log into the victim’s machine to perform online banking transactions.

"While the cessation of phishing operations by the Avalanche phishing group is great news for the anti-phisihing community, their shift to the nearly exclusive distribution of Zeus malware is an ominous development in the e-crime landscape," said study co-author Rod Rasmussen. "Their spamming and other activities to target victims continues at high levels, implying they are finding malware distribution a more effective and profitable tactic than traditional phishing.”

Co-author Greg Aaron added: “The Avalanche criminals recently rented a large botnet called Cutwail to send out massive amounts of spam lures. Those spams led unsuspecting Internet users to Zeus crimeware hosted on the Avalanche botnet. So this is a good example of how e-criminals don’t work in isolation, and often use multiple tools – spam, malware, botnets, and phishing – to do their work.”