SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

Why the most successful Retefe spam campaign never paid off

Switzerland is one of the main targets of the Retefe banking trojan since its first appearance in November 2013. At that time, it changed the local DNS resolver on the computer (See also blog post “Retefe Bankentrojaner” in German only). Almost a year went by until they changed to the still current approach of setting a proxy auto-config (PAC) URL (See also blog post “The Retefe banking Trojan has targeted Switzerland“). To understand the story of this blog post, it helps to understand the modus operandi of the Retefe malware. We recommend you read up on it on our blog links posted above if you are not familiar with it.

While the Retefe actors are constantly changing tactics, for example their newest campaigns also target Mac OS X users, their malware still works the same. One of notable changes was the introduction of Tor in 2016. At first, they started using Tor gateway domain names such as onion.to, onion.link within the proxy auto-config URLs, later on they switched to Tor completely. The advantage of using Tor is of course, anonymity and the difficulty to block or take down the infrastructure.

Onion domain names don’t use DNS or do they?
The Tor network can use .onion domain names but these names are not resolved over DNS but instead work only in the Tor network. RFC 7686 (The “.onion” Special-Use Domain Name) goes into more details on the special case of .onion domain names. However, the fact is that .onion domain names do leak into the DNS system. For potential reasons and more information on this subject we recommend the paper by Versign Labs “Measuring the Leakage of Onion at the Root” (PDF).
Continue reading

The March 2016 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our monthly SWITCH Security Report has just been released.

The topics covered in this report are:

  • Torpedoed for a fistful of dollars – university helps authorities spy on Tor users
  • Crypto Wars 3.0 – will the FBI be given a licence to snoop, or can – Apple successfully lock down the unlocking?
  • Deadly bugs in hospital – ransomware Trojan Locky shuts down entire clinics and more
  • Mission: Possible – Big Data and automated law enforcement

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.


Deep Web – Das Netz unter dem Netz (Teil 4)

Dieser Artikel wurde von Katja Locker verfasst.

Tor, Freenet und eine klare Warnung an alle Neugierigen


Das mit Abstand meistgenutzte und grösste Anonymisierungsnetzwerk heisst „The Onion Routing“, kurz Tor. Seine Nutzerzahl hat sich 2012 eigenen Angaben zufolge innerhalb eines Jahres verdoppelt – auf gut 600 000 Zugriffe pro Tag von Rechnern weltweit. Wer Tor nutzt, kann damit zumindest bis zu einem gewissen Grad anonym surfen und staatliche Zensurmassnahmen umgehen.

Continue reading

Deep Web – Das Netz unter dem Netz (Teil 3)

Dieser Artikel wurde von Katja Locker verfasst.

Vom Internet zum „Filternet“

In den Anfangsjahren des Internets sah es dort noch recht anders aus. Was daran lag, dass das weltweite Netz in den 90er-Jahren überwiegend aus statischen HTML-Seiten bestand. Das änderte sich schlagartig mit Beginn des Web-2.0-Zeitalters. Neue Darstellungsformate und Technologien wie Flash-animierte Webseiten oder Videos breiteten sich aus. Die Inhalte in sozialen Netzwerken, Community-Seiten und Chat-Foren kamen und verschwanden dabei schneller, als man schauen konnte – vor allem schneller, als Suchmaschinen sie erfassen konnten.

Continue reading