Hi Benoit, Zwingers

> Am 16.12.2016 um 08:44 schrieb Benoit Panizzon <benoit.paniz...@imp.ch>:
> Hi Swinogers
> It's not an actual case where we are involved in, nor did it happen in
> switzerland, but I'm in contact with a registrar and hoster that
> probably is in this situation.

This is unfortunately common and realistic case.
We had about 40 to 50 domain names in .ch and .li alone that where registered 
to operate TorentLocker.
As the operators make a lot of money with ransomware, they can afford buying 
domain names and hosting, even if they can use them only a few days.

> A customer registered a domain and booked a web and email service. The
> booking were made in the name of an apparently newly created company.
> Everything looked legit, the domain owner wanted his privacy protected
> by a whois proxy provider.
> That company sent emails to various recipients, that led those
> recipients to their website to download some documents.
> Those documents were infected with the locky ransomware. It's clear
> that this is not a hacked site, but a site built purposefully to
> distribute that malware and make it look legitimate.
> The hoster reacted quicky to complaints, took the site offline and
> removed the DNS entries to prevent further damage.
> But what can the hoster/registrar do next? Can he contact his
> government's CERT team or the authorities and hand them over the
> customer data, ip addresses used to upload the site etc. to try to get
> hold of the gang behind that fraud as quickly as possible? Or would that
> break the privacy laws and they have to wait to get a subpoena, which
> could take several weeks and give the gang enough time to clear all
> traces?

You should inform the responsible CERTs, in Switzerland MELANI, the registry, 
(for .ch and .li SWITCH c...@switch.ch) and the registrar if you are not a 
registrar yourself.
Basicly to inform them about the malicious registrations and allow them to 
detect similar cases.

Handing over the logs to a CERT for victim notification doesn’t make so much 
sense in this case as victims will most likely notice that they are infected.

I think you should also contact KOBIK/FEDPOL and report the case as you are a 
You should first ask them what data they need to investigate the case and then 
make your decision on handing over the data.

Best regards


> -Benoît Panizzon-
> --
> I m p r o W a r e   A G    -    Leiter Commerce Kunden
> ______________________________________________________
> Zurlindenstrasse 29             Tel  +41 61 826 93 00
> CH-4133 Pratteln                Fax  +41 61 826 93 01
> Schweiz                         Web  http://www.imp.ch
> ______________________________________________________

Michael Hausding, Competence Lead DNS & Domain Abuse
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 77, incident phone +41 44 268 15 40

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

swinog mailing list

Antwort per Email an