In 2014, about 1,800 Swiss websites were cleaned from drive-by code, compared with 2,700 in 2013, a decline of 33%. At the same time, the number of phishing cases affecting .ch and .li top-level domains rose from only a handful in 2013 to more than 300.
Drive-by code on Swiss websites in 2014
Last year, 35,796 suspicious drive-by URLs in the .ch and .li top-level domains were reported to SWITCH. Security experts from SWITCH-CERT automatically sent requests to these servers and analysed the responses, looking for malicious code injected into the HTML source code. When an expert identified malicious code, the registrar or domain name holder and the web hoster were notified and asked to remove it within one working day. This was done for 1,839 domain names in 2014. In 1,493 (81%) cases, the code was removed by the web hoster or domain holder within one day. For the other 346 domains, the deadline was not met, and the domain name was temporarily suspended to prevent further damage to website visitors. Some 264 (14%) of the infected websites were cleaned of malicious code, with the remaining 82 domain names having to be reactivated after five days, the maximum suspension time by law. A request for identification was sent to the holders of all 82 domains, resulting in an additional 59 (3.2%) of websites being cleaned. A total of 23 (1.3% of all notified) domain names were deleted after 30 days because the domain holder failed to respond to the identification request.
The malicious code injected into Swiss websites was classified and grouped. From those injects that could be identified, the most common was iFrames from the BlackOSiframe traffic directing system (TDS). A TDS is a system that redirects website visitors by means of an invisible iFrame to an exploit that takes over the job of identifying vulnerabilities on the system and tries to exploit them to install malware. BlackOSiframe is available for purchase on the underground market. It prevents detection by anti-virus systems and also tries to intercept analysis by security experts. Different exploit kits were identified while analysing the compromised web pages. The most active one in Switzerland in 2014 was the Angler exploit kit, exploiting vulnerabilities in Adobe Flash and Java. Trend Micro also noticed increased activity by Angler in 2014, according to its security blog post “What’s New in Exploit Kits in 2014”. Activity from the Blackhole exploit kit, the most active in 2013, collapsed in 2014. The European Union Network Information Security Agency (ENISA) pointed out in its Threat Landscape 2014 report that the reason for this decline is the arrest of the author at the end of 2013.
Phishing on Swiss Websites in 2014
A record of 2,401 phishing URLs in the .ch and .li TLDs were reported to SWITCH in 2014, compared with less than 200 in 2013. After analysing the suspicious websites, phishing pages were found on 323 websites. In nearly all cases, the phishing page was set up by criminals on compromised websites without the agreement of the website owner. Only four domain names with names similar to a Swiss bank were registered by criminals intending to use them to steal bank clients’ confidential data. The most popular phishing targets on .ch websites were Apple and PayPal.
The domain holders and owners of compromised websites and also the web hoster were notified by SWITCH-CERT using the same process. In 298 (92%) cases, the phishing page was removed within one working day by the web hoster or domain holder. The domain was temporarily suspended in 25 cases, six of which were resolved after the domain name was temporarily suspended. In 19 cases, SWITCH sent a request for identification to the domain holder, which resulted in another 13 phishing pages being removed. There was no response to the identification request in the other six cases, as a result of which the domains were deleted. The very high success rate (92% in less than 24 hours) in removing phishing pages in Switzerland is due to the fast response of Swiss web hosting companies, which usually remove phishing pages from a compromised web server account immediately after receiving notification.
Phishing activities increase worldwide
The rise of phishing pages in the .ch and .li TLDs follows a worldwide trend, also noticed by ENISA. The Cybercrime Coordination Unit Switzerland KOBIK noted in its annual report, published last week, that 20% of all criminal reports concern phishing pages. Phishing attacks on Swiss organisations, typically Swiss banks and universities, also increased in 2014. Phishing pages targeting Swiss organisations are typically set up on websites outside Switzerland in top-level domains other than .ch or .li. This makes the removal of the phishing page more challenging as the ISPs and web hosters are typically overseas. In these cases, SWITCH-CERT supports the Swiss organisations by sending requests to the web hoster’s abuse contact to have the phishing pages removed. SWITCH-CERT also cooperates with organisations like the Anti-Phishing Working Group to make sure that these URLs are added to blacklists used by web browsers and anti-virus products as quickly as possible.
Internet users who enter their credentials or even financial data on the phishing site run the risk that their data will be misused for financial fraud, stealing confidential data or sending spam e-mails. When users share a password across multiple accounts, the compromise of one account gives the attackers full access to all accounts for which the same username/password combination is used. This is why SWITCH-CERT recommends choosing separate passwords for different Internet accounts and using a password manager.
Internet users in Switzerland can help to fight phishing by reporting phishing e-mails to the Swiss Internet Security Alliance https://www.swiss-isa.ch/feedback/.