Get ready for "cybercrime as a service"!

SWITCH security expert Serge Droz discusses cybercrime in 2015.

Text: Anja Eigenmann, published on 25.01.2016

SWITCH's statistics reveal that the number of malware infections concerning the top-level domains .ch and .li (Liechtenstein) fell sharply from 1,839 in 2014 to 698 in 2015. The threat from phishing remained at a similar level, with 329 cases in 2015 after 323 the year before.


In our interview, SWITCH security expert Serge Droz explains how he interprets these figures and what trends he sees in the cybercrime landscape.

What do you view as the stand-out events of 2015 as regards Internet security at SWITCH?
Serge Droz:
On the business side, there were two things: the launch of Safer Internet and the successful formation of CH-CERTs. The former is a package of measures aimed at preventing website infections in cooperation with hosting providers, registrars and the regulator. The latter is a forum for security experts from a range of Swiss firms and government departments to meet regularly so that they can improve security together. A personal highlight from my point of view was the course I held in Rwanda as part of the TRANSITS (Training for Incident Response Staff) project. Seeing how a country is developing under completely different conditions and with a much more difficult past than Switzerland was touching and left a lasting impression on me.

Cybercriminals are now specialising and offering only individual links in the value chain.

What trends do you see globally in Internet crime?
Generally speaking, the cyber underground has continued to become more professional, even to the extent where we can talk about "cybercrime as a service". Cybercriminals are now specialising and offering only individual links in the value chain.

What about Switzerland?
Attacks are being tailored specifically to our country. People are using e-mails written in one of our official languages that appear to be sent by a Swiss firm. This makes our job harder because we can't call on samples from our international partners. In addition, Trojans such as Dyre show that attacks on e-banking have become even more daring. Dyre only becomes active for bank accounts containing more than half a million francs, so the damage it causes is very severe.

Various reports and studies have shown that .ch is among the most secure top-level domains in the world.

How do you interpret SWITCH's figures concerning the .ch domain?
Various reports and studies have shown that .ch is among the most secure top-level domains in the world. This is made possible first and foremost by the legal basis the Federal Office of Communications gave us five years ago, which allows us to deactivate misused domains at short notice. The figures prove that this procedure is working. Now we want to optimise our anti-phishing procedure as well with the help of our national and international partners.

Where, in your opinion, are the new threats SWITCH needs to combat coming from?
SWITCH wants to step up its activities to combat the misuse of domains. Domains are misused, for example, by hacking web servers to fool search engines or by setting up fraudulent online shops. We restrict ourselves to the crime of hacking – the authorities are responsible for assessing web content. In general, however, we can say that cybercriminals are driven by money, and they'll keep seeking out new strategies to get their hands on it. They won't stop taking us by surprise.

We can make it more expensive. That way, attacks in Switzerland won't be worth the effort any more.

What can we do about it?
We can make it more expensive for them to stage their attacks, for example by turning off hacked servers faster. That way, attacks in Switzerland won't be worth the effort any more.

Serge Droz

Dr Serge Droz studied physics at ETH Zurich and has a PhD in theoretical physics from the University of Alberta in Canada. He worked as a computer security officer at the Paul Scherrer Institute (PSI) in Villigen, canton of Aargau, before joining SWITCH in 2004. He is currently Senior Security Adviser.

Trends in 2015

The following trends and events dominated the cybercrime field in 2015:

Ransomware: Cybercriminals are increasingly blocking access to data and demanding money to restore it. They have even set up professional help desks for this purpose that provide victims with information.

Blackmail using DDoS attacks: Groups like DD4BC (DDoS for Bitcoins) and the Armada Collective threaten to shut down websites using distributed denial of service (DDoS) attacks, where a site is bombarded with queries, unless they are paid. Experience shows that paying up does not help. In fact, it makes it plain that the money is available, so the frequency of attacks merely increases. (MELANI newsletter in German, French and Italian)

APT (advanced persistent threat) taking on new dimensions: Criminals meticulously spy on their victims over a long period before striking with a tailor-made attack. This was previously a tactic favoured by intelligence services, but is now being done for profit as well – at least that is the impression given by the Carbanak case. The group that used this software waited two years to stage its attack. It hacked user accounts at banks, gained access to surveillance cameras and reprogrammed cash machines to give out notes with higher denominations than the software had registered. The damage ran to a billion US dollars and affected around 100 banks in 30 countries (Kaspersky analysis).

Tips for fighting cybercrime

  • Update your anti-virus software regularly
  • Allow automatic software updates
  • Use automated data backup
  • Run a free SISA check every month

See also Safer Internet

Other articles