Dodgy coronavirus-related domains. Phishing attacks. Cybercrime. How much more prevalent have underhand activities become in Switzerland since the outbreak of the coronavirus?
The coronavirus has turned our everyday lives upside down, and society has found itself in an extraordinary situation. The inherent uncertainty has meant that people need more information and protection, not to mention new working conditions – and criminals are cleverly exploiting this situation. When the lockdown hit, the internet all of a sudden became the virtual solution to almost everything. As the registry for .ch domains, the IT infrastructure provider for universities and a multi-sector CERT, SWITCH has a good overview of the cybercrime occurring in the shadow of the rapid rise of the digital economy.
The international press has published a wealth of warnings about malicious new coronavirus-related domains. As the registry for .ch domain names, SWITCH has indeed received an excessive number of private reports of allegedly abusive registrations of domain names containing keywords like ‘corona’, ‘covid’ and ‘virus’. SWITCH has examined all of these reports. In cases where there was any doubt as to a domain holder’s identity, a holder identification process was initiated in which the holder had to confirm who they were by providing an identity document. Certainly, there have been some cases where such requests have gone unanswered, and the domain names have therefore been deleted. But in most cases, everything was above board with respect to the domain holders’ identities, and no further action had to be taken.
The Swiss authorities have also reported more suspicious cases to the registry since March. The authorities recognised by OFCOM have access to the entire zone file containing all domain names, which allows them to spot suspicious new registrations. From March to May, the registry received a total of 253 administrative assistance requests about establishing and providing the authorities with details of the identities and Swiss correspondence addresses of holders of suspect domain names. This is a standard procedure that’s used several thousand times each year when dodgy dealings (including the likes of fake web shops) are suspected. Responses were sent to a strikingly large number of requests, and the authorities were able to settle potential illegal activity directly with the domain name holders.
In a few cases, newly registered domain names were also temporarily blocked at the authorities’ request – if websites required visitors to enter personal information and credit card details, for example, and were suspected of being fake web shops designed to phish data. Here too, most of the domain name holders were quick to contact us; their web shops were unblocked and the authorities clarified the matter with the holders. However, there were also a few domain names used for shops offering ‘coronavirus tests’ that were deleted because the holders did not prove their identities within 30 days.
SWITCH has not noticed malware and phishing attacks spreading on any of the newly registered coronavirus-related domain names, and MELANI (the Reporting and Analysis Centre for Information Assurance) is not aware of any such cases either. The perpetrators were well aware of just how much attention these domain names generate and used more inconspicuous domain names to carry out their attacks.
One development that could be established, though, was a rise in the number of phishing attacks on Swiss internet users working from home. The fact that people are working outside the largely protected network at their regular place of work has only made these attacks easier to carry out. The attacks that SWITCH-CERT has observed were deliberately aimed at higher education staff and users of Swiss IT service providers such as web hosting services. Fraudsters then often abused the web hosting access credentials they got their hands on to host additional phishing sites on the existing domain names and web servers. Fortunately, these compromises were identified and eliminated quickly. Various hosts have warned their customers of the attacks, and MELANI (the Reporting and Analysis Centre for Information Assurance) has also reported a spike in phishing activities.
One of the most prominent phishing attacks performed internationally, right at the beginning of the pandemic, was carried out on in the name of the WHO. The international organisation failed to protect its domain name (who.int) from abuse – neither with DNSSEC, nor with DMARC. While DNSSEC protects against unlawful redirections to other websites, DMARC is used to protect against email spoofing, so attackers cannot send emails on someone else’s behalf. And that’s exactly what happened to the WHO. Scam artists sent out phishing emails in the name of the organisation – the global, supreme authority during the health crisis – and used the pandemic as a springboard for distributing malware. No use was made of a simple virtual hygiene measure such as DMARC to authenticate emails. The WHO has since activated DMARC for its domain name. Not only does DMARC protect the organisation from such dodgy dealings, it also makes it easier for email recipients to detect phishing emails. In Switzerland, some organisations and IT service providers have introduced DMARC too – perhaps also in response to the growing number of phishing attacks. Some Swiss providers are reporting that DMARC has allowed them to filter out major phishing campaigns and thus protect their customers. Even though there has been an 8% rise in DMARC use in Switzerland, the country still needs to urgently improve its cyber hygiene, as with the use of other standards in Switzerland.
The rise in cybercrime connected with the coronavirus pandemic highlights yet again just how fragile the internet infrastructure really is. Applying security standards such as DMARC and DNSSEC should therefore be given urgent priority to strengthen digital Switzerland’s resilience for the future and thus make it more difficult for scammers to carry out image-damaging cyber attacks.