Phishing Goes Up, Malware Down, On .CH Websites

SWITCH logoThe incidences of malware on .CH websites went down by a third (33%) in 2014, but incidences of phishing went up five-fold to 323.

SWITCH, the Swiss registry, uncovered 1,839 cases of malware last year, roughly a third below the total of 2,718 recorded in 2013. In 1,493 of these cases, registrants removed the harmful code after receiving the first notification from SWITCH.

However, there was an increase in the number of phishing cases. The number of phishing cases increased almost fivefold between the first and fourth quarters. The removal process is the same as for malware: SWITCH checks websites for phishing and notifies the holder when it is found. In 2014, SWITCH recorded 323 cases of phishing, and the phishing site was removed after the first notification in 298 of these.

Serge Droz, Head of SWITCH-CERT, SWITCH’s security team, comments: “We saw a sharp increase in the number of phishing reports SWITCH received compared with 2013. This prompted SWITCH to start notifying holders of websites affected by phishing automatically via e-mail as of 1 October 2014.”

SWITCH Fighting Malware in Switzerland

Established process now covers phishing as well

SWITCH introduced a process for removing malware-spreading code from websites back in 2010. Various partner organisations in Switzerland and abroad warn SWITCH about websites that spread malware. Where there is a justified suspicion, the holder of a website is notified and requested to remove the harmful code within one working day. The domain name is temporarily blocked for up to five days in the interests of security if this is not done, and SWITCH demands identification from the holder if the infection is not removed from the website during this time. Should the holder also fail to meet this demand, the domain name is deleted after 30 days.

In view of the sharp increase in cases, phishing is now being handled with the same priority as malware. The process involved is partially automated. Phishing is an attempt to gain access to passwords or sensitive data by illegal means. Criminal organisations set up a phishing site on an existing website without the holder’s knowledge. Where addresses of phishing sites are identified on a .ch or .li domain, SWITCH notifies the holder and hoster. The phishing site is then removed within 24 hours in 92% of cases. Droz explains: “The most common phishing targets on .ch websites in 2014 were Apple and PayPal.” By cleaning infected websites of malware, SWITCH helps to ensure the security and stability of the Internet in Switzerland. The European Union Agency for Network and Information Security (ENISA) notes in its Threat Landscape 2014 report that phishing is on the increase worldwide.

SWITCH Phishing Domains in 2014

Use of Blackhole exploit kit drastically reduced

According to ENISA, the biggest threat comes from harmful code such as worms and Trojans, which hide on websites and infect the computers of users who visit these sites using an exploit kit. This is an electronic data processing toolkit that systematically exploits weaknesses in browsers and their plugins. SWITCH identified a variety of exploit kits from its analysis of infected websites in 2014. The most commonly used last year was Angler, which took advantage of loopholes in Adobe Flash and Java. SWITCH’s observations concerning Swiss websites corroborate the ENISA report’s claim that use of the Blackhole exploit kit has been drastically reduced since those responsible were caught.

Reporting suspected phishing:

SWITCH recommends reporting it directly to the Swiss Internet Security Alliance (SISA), a joint initiative of Swiss providers of Internet and financial services and security firms. SWITCH is a founding member of SISA.