SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


Safer Internet

Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend helped her to install a popular open-source content management system (CMS) for the website, so that she can change the menu every week and perform other updates herself. The parents of the kids were delighted to have access to this information online.

Three months after the website went online, one of the parents called her, telling her that the website was no longer available, and a warning was displayed instead. He also told her that he had a virus on his home PC and had to reinstall his operating system and change all his Internet passwords. When she talked to other parents that day, they told her the same.

What happened? Continue reading


Drive-by code and Phishing on Swiss websites in 2014

In 2014, about 1,800 Swiss websites were cleaned from drive-by code, compared with 2,700 in 2013, a decline of 33%. At the same time, the number of phishing cases affecting .ch and .li top-level domains rose from only a handful in 2013 to more than 300.

Drive-by code on Swiss websites in 2014

Last year, 35,796 suspicious drive-by URLs in the .ch and .li top-level domains were reported to SWITCH. Security experts from SWITCH-CERT automatically sent requests to these servers and analysed the responses, looking for malicious code injected into the HTML source code. When an expert identified malicious code, the registrar or domain name holder and the web hoster were notified and asked to remove it within one working day. This was done for 1,839 domain names in 2014. In 1,493 (81%) cases, the code was removed by the web hoster or domain holder within one day. For the other 346 domains, the deadline was not met, and the domain name was temporarily suspended to prevent further damage to website visitors. Some 264 (14%) of the infected websites were cleaned of malicious code, with the remaining 82 domain names having to be reactivated after five days, the maximum suspension time by law. A request for identification was sent to the holders of all 82 domains, resulting in an additional 59 (3.2%) of websites being cleaned. A total of 23 (1.3% of all notified) domain names were deleted after 30 days because the domain holder failed to respond to the identification request.

malware2015_E

Compromised .ch and .li websites used for drive-by infections by quarter

Continue reading

News


IT-Security-Links #70

German:


Mehr Drive-By Exploits auf gehackten Schweizer Webseiten

Als Drive-By Exploit oder Drive-By Download bezeichnet man es, wenn auf dem Computer eines Internetnutzers nur durch das Aufrufen einer Webseite im Browser automatisch und unbemerkt schädliche Software installiert wird.

Nach der Infektion mit schädlicher Software haben Kriminelle meist unbegrenzten Zugirff auf den Computer und die darauf gespeicherten Daten und versuchen damit Geld zu verdienen. Trojaner stehlen z.B. Zugangs- und Kreditkarteninformation des Benutzers oder greifen in sein Ebanking ein. Ransomware versucht durch Einschüchterung des Benutzers und durch Blockade des PCs Geld zu erpressen.

Gemäss eines Berichts (PDF) der “European Network and Information Security Agency” ENISA stellen Drive-By Exploits für 2013 die grösste Bedrohung für Internetnutzer dar. Dies bestätigen auch die Zahlen aus der Schweiz. Continue reading


1 Comment

More Malware distributing Websites in Q3 2012

 In the 3rd quarter 2012, SWITCH-CERT has helped to clean 1260 malware distributing websites under the .ch and .li top level domains. This is more than twice than in the quarters before.

Visiting a hacked website is the most common reason to get infected with malware. Most often these are legitimate websites that are compromised by cyber criminals. The attackers inject invisible elements, such as iframes of javascript into the website. These invisible elements try to exploit vulnerabilities when a visitor opens the website with his browser. When the exploits succeed, the computer of the visitor is most likely infected with a trojan and becomes part of a botnet. The attackers now have complete remote control over the infected system and can use it to steal confidential data, attack e-banking, send SPAM or launch a Distributed Denial of Service (DDOS) attacks from the “bot client”.

The dramatic rise of compromised websites in Q3 2012 is most likely due to a vulnerability in the popular Plesk server admin software, that allowed attackers to access the websites and enabled them to inject their invisible code. Exploit kits were commercially available on the internet.

Continue reading