The cybercrime watchdog bites back

The story illustrates how cybercrime works and the importance of cooperation across national borders.

Text: Silvio OertliMartin Leuthold, published on 19.09.2016

Esch an der Alzette, Luxembourg, 6 a.m. It is a clear morning. In his detached house, Jean-Pierre Gadier turns on the coffee machine and opens his laptop to check his e-mails before heading out to work. The hospital manager sees a message purporting to be from PayPal. "My PayPal account's been blocked for security reasons?" he thinks to himself quizzically, clicking the link in the e-mail to verify his account details. Alarms bells ring in his head as soon as he sees the address in his browser's address bar: Wanting to play it safe, he enters the URL into the Luxembourg CERT's abuse checker.

The Computer Incident Response Center Luxembourg (CIRCL) automatically checks the dog dentist address provided by Gadier and forwards it to SWITCH-CERT via a European anti-phishing platform.

Domain holder notified

On the same morning, it is starting to rain in Zurich as the "Certie of the week"opens up the domain abuse platform. As he works through the reported domain names, he spots the dog dentist URL. He notifies the people responsible for the domain that it has been abused – he is required to do so by law. While the Certie is still busy classifying the domain abuse cases, the phone rings. Karl Bandmeier, holder of the domain, is on the other end. "You e-mailed me a strange message,"he says. "What’s the problem?" The Certie explains that the site has been abused for phishing and tells Mr Bandmeier how he can stop it. He points out that SWITCH would like to see the access log for the website, which could allow it to identify who installed the phishing code. Mr Bandmeier is grateful for the explanation and sends SWITCH-CERT the files it needs.

IP address identified

A few scripts later, the Certie has built up a picture of the case. He can identify the IP address from which the phishing pages were uploaded and knows where the stolen data are sent. The IP address belongs to the zone of a hosting provider based in Thailand.

The Certie immediately supplies the CERT in Thailand with information on the suspicious IP address. The Thai CERT contacts the local authorities, and the offending server is taken offline. Once the Thai authorities have assessed the data, SWITCH-CERT receives a list of victims in Switzerland and notifies them via its partners.

Fighting cybercrime

This story clearly illustrates how cases like this are dealt with swiftly thanks to close cooperation within the worldwide CERT community, thus minimising the risk to individuals. It also shows that the battle against cybercrime must be fought across national borders – not to mention across all organisations and companies. Cybercime has become the business of a virtual Mafia that does not respect borders of any kind. A whole underground economy has arisen that functions in accordance with market forces and generates billions in turnover. In the UK, the National Crime Agency has reported that losses due to cybercrime are set to exceed those due to conventional crimes for the first time this year. These losses are estimated at several billion pounds.

Criminal organisations are prepared to spend months or even years and invest millions setting up precisely targeted attacks. Their success has given them very significant financial resources. They also have the upper hand because they do not care where one country or jurisdiction ends and another begins, unlike the organisations and companies they attack and the law enforcement authorities. On top of this, the digitalisation of all areas of modern life is vastly increasing our dependence on IT and leading to an exponential increase in the number of lucrative targets. The Federal Council’s recently revised security policy now treats universities as critical targets because they hold large quantities of data on individuals and applied research.

Sweeping changes lie ahead for information security. The ability to identify incidents quickly, respond appropriately and effectively, and collect the relevant threat intelligence at both national and international levels will be a vital asset. These are the areas in which SWITCH-CERT excels. We at SWITCH are working hard all the time to develop national and international cooperation with a view to helping the universities ensure that they enjoy high standards of security. The only way we can win the fight against cybercrime going forward is through more intensive cooperation.

About the author
Silvio   Oertli

Silvio Oertli

Silvio Oertli studied for a degree in IT at the Zurich University of Applied Sciences alongside his work and graduated in 2006. After spending several years in law enforcement, he joined SWITCH in 2015. He is now in charge of the CERT team for the universities and the registry.

About the author
Martin   Leuthold

Martin Leuthold

After studying at ETH Zurich, Martin Leuthold worked in a number of security functions in Switzerland and abroad, including CISO of a multinational industrial conglomerate. He has been in charge of SWITCH’s Security division since February 2016.


20 Years of SWITCH-CERT

SWITCH-CERT was officially recognised by the body that coordinates all CERTs around the world in 1996. This paved the way towards regular membership of the global Forum for Incident Response and Security Teams, FIRST for short. SWITCH-CERT is thus celebrating its 20th birthday this year. To mark the occasion, you will find articles about SWITCH-CERT under Stories, including a history of the team.

Other articles