The story illustrates how cybercrime works and the importance of cooperation across national borders.
Esch an der Alzette, Luxembourg, 6 a.m. It is a clear morning. In his detached house, Jean-Pierre Gadier turns on the coffee machine and opens his laptop to check his e-mails before heading out to work. The hospital manager sees a message purporting to be from PayPal. "My PayPal account's been blocked for security reasons?" he thinks to himself quizzically, clicking the link in the e-mail to verify his account details. Alarms bells ring in his head as soon as he sees the address in his browser's address bar: www.bellos-zahnarzt.ch/paypalverify.php. Wanting to play it safe, he enters the URL into the Luxembourg CERT's abuse checker.
The Computer Incident Response Center Luxembourg (CIRCL) automatically checks the dog dentist address provided by Gadier and forwards it to SWITCH-CERT via a European anti-phishing platform.
On the same morning, it is starting to rain in Zurich as the "Certie of the week"opens up the domain abuse platform. As he works through the reported domain names, he spots the dog dentist URL. He notifies the people responsible for the domain that it has been abused – he is required to do so by law. While the Certie is still busy classifying the domain abuse cases, the phone rings. Karl Bandmeier, holder of the domain bellos-zahnarzt.ch, is on the other end. "You e-mailed me a strange message,"he says. "What’s the problem?" The Certie explains that the site has been abused for phishing and tells Mr Bandmeier how he can stop it. He points out that SWITCH would like to see the access log for the website, which could allow it to identify who installed the phishing code. Mr Bandmeier is grateful for the explanation and sends SWITCH-CERT the files it needs.
A few scripts later, the Certie has built up a picture of the case. He can identify the IP address from which the phishing pages were uploaded and knows where the stolen data are sent. The IP address belongs to the zone of a hosting provider based in Thailand.
The Certie immediately supplies the CERT in Thailand with information on the suspicious IP address. The Thai CERT contacts the local authorities, and the offending server is taken offline. Once the Thai authorities have assessed the data, SWITCH-CERT receives a list of victims in Switzerland and notifies them via its partners.
This story clearly illustrates how cases like this are dealt with swiftly thanks to close cooperation within the worldwide CERT community, thus minimising the risk to individuals. It also shows that the battle against cybercrime must be fought across national borders – not to mention across all organisations and companies. Cybercime has become the business of a virtual Mafia that does not respect borders of any kind. A whole underground economy has arisen that functions in accordance with market forces and generates billions in turnover. In the UK, the National Crime Agency has reported that losses due to cybercrime are set to exceed those due to conventional crimes for the first time this year. These losses are estimated at several billion pounds.
Criminal organisations are prepared to spend months or even years and invest millions setting up precisely targeted attacks. Their success has given them very significant financial resources. They also have the upper hand because they do not care where one country or jurisdiction ends and another begins, unlike the organisations and companies they attack and the law enforcement authorities. On top of this, the digitalisation of all areas of modern life is vastly increasing our dependence on IT and leading to an exponential increase in the number of lucrative targets. The Federal Council’s recently revised security policy now treats universities as critical targets because they hold large quantities of data on individuals and applied research.
Sweeping changes lie ahead for information security. The ability to identify incidents quickly, respond appropriately and effectively, and collect the relevant threat intelligence at both national and international levels will be a vital asset. These are the areas in which SWITCH-CERT excels. We at SWITCH are working hard all the time to develop national and international cooperation with a view to helping the universities ensure that they enjoy high standards of security. The only way we can win the fight against cybercrime going forward is through more intensive cooperation.