Success in the fight against cybercrime

SWITCH recorded a marked decrease in malware infecting Swiss websites in 2015. In contrast to other domains, websites ending in .ch did not see a further increase in phishing cases. SWITCH’s efforts to stop domains being misused are proving effective, making .ch increasingly unattractive as a target for attacks.

Published on 25.01.2016

The SWITCH foundation protects Swiss websites against misuse. “Cybercriminals are driven by money. We are quick in identifying domain misuse and acting to stop it, so attacking Swiss websites is becoming less and less worthwhile,” explains SWITCH security expert Serge Droz.

Malware down, phishing stable
SWITCH took action to remove malware from 698 .ch and .li websites in 2015, down from 1,839 in 2014. The situation as regards phishing was more or less stable: 329 .ch and .li websites were affected, compared with 323 in 2014. Meanwhile, there was an increase in the number of phishing attacks on Swiss companies’ websites with other domain endings. Droz sees new challenges where phishing is concerned: “Phishing attacks did not focus solely on banks in Switzerland last year, they were primarily targeted at online shops. Our goal for 2016 is to be even more efficient in dealing with phishing. Since we can only have a direct influence on .ch and .li, we are all the more dependent on cooperation with colleagues in Switzerland and abroad when it comes to other domain endings.”

Established process with mandate from OFCOM
SWITCH has been using a standardised process to combat malware since 2010. The foundation works closely together with the registrars, the authorities and the Federal Office of Communications (OFCOM). The fight against malware was enshrined in the Ordinance on Internet Domains (OID) in 2015.

Standardised action against phishing since 2014
In view of the sharp increase in phishing, SWITCH extended the malware process in 2014 to cover this form of cybercrime as well. Attempts to gain access to passwords or credit card information by illegal means can have far-reaching consequences for private individuals and companies alike. When SWITCH identifies phishing attacks on a .ch or .li website, it notifies the domain holder and the hosting provider immediately. These clean up the phishing site within 24 hours in more than 90% of cases. “For websites with endings other than .ch and .li, we contact our colleagues and partners around the world,” says Droz. “Thanks to our network of contacts, this works very well indeed.”

Pioneering role in international fight against cybercrime
SWITCH’s process for combating domain misuse and its national and international cooperation are unique worldwide. The significant fall in malware cases and the stabilisation in phishing in Switzerland are attracting interest internationally. SWITCH placed particular emphasis in 2015 on prevention and expanding its alerting network. Its new website helps domain holders, hosting providers and registrars to deal with domain misuse.

Cybercrime worldwide in 2015: Ransoms, blackmail and spying
Serge Droz outlines the international situation: “Cybercrime has continued to become more professional. It is evolving into an underground economy in which people are specialising to the extent that we can talk about ‘cybercrime as a service’.” The key trends and events of 2015 in the world of cybercrime were as follows:

  • Ransomware: Cybercriminals block access to data and demand money to restore it. They have even set up their own help desks for this purpose that provide victims with information.
  • Blackmail using DDoS attacks: Groups like DD4BC (DDoS for Bitcoins), who were recently arrested, and the Armada Collective threaten to shut down websites using distributed denial of service (DDoS) attacks, where a site is bombarded with queries, unless they are paid. Experience shows that paying up does not help. It merely encourages demands for more money, so the attacks actually become more frequent.
  • APT (advanced persistent threat) taking on new dimensions: Attackers spy on their victims over a lengthy period in order to work out a tailor-made attack. The most extreme known case is probably that of the group using a piece of malware called Carbanak. They waited two years to strike, then hacked into user accounts at banks, gaining access to surveillance cameras and reprogramming cash machines so that they gave out banknotes with higher denominations than the software had registered. The damage caused to around 100 banks in 30 countries may be as much as USD 1 billion.


Interview with SWITCH security specialist Serge Droz, looking back over 2015 and head to 2016:

SWITCH’s “Safer Internet” prevention website:

Five tips to make your website safer:


Definition of terms

Cybercriminals install drive-by code on websites by exploiting security loopholes in content management systems and using hacked access details. Once drive-by code is installed on a site, it attempts to load malware onto the computers and mobile devices of people visiting that site. This happens without the visitors or their anti-virus software noticing.

Cybercriminals use falsified login pages on hacked websites to steal access details that allow them to log into online accounts, for example on social media, e-banking or shopping sites. Making use of a stolen identity, they have full access to the services that person has subscribed to, and they take advantage of this to carry out fraudulent transactions at the victim’s expense.


Reporting suspected phishing: SWITCH recommends reporting it directly to the Swiss Internet Security Alliance (SISA), a joint initiative of Swiss providers of Internet and financial services and security firms. SWITCH is a founding member of SISA.