[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Internet Crime: Kobik Searches and Finds


By Franziska Vonaesch

The National Coordination Unit for Combating Internet Crime (Kobik) has 
been online since January 1, 2003. Kobik acts as a center of competence 
for the public, official bodies and internet service providers on legal, 
technical and crime-related issues. Practice shows just how competent it 

The Federal Office of Police, Department IMC, Section OSINT/Kobik 
Monitoring. Even its name reads like a code. Its unobtrusive premises 
are located in a residential zone near the Wankdorf Stadium in Berne. 
Those who want to come inside need a special pass. Here - behind closed 
doors - investigators scan the murky waters of the internet.

They're on the lookout for all kinds of criminal offences. For example, 
the distribution of hardcore pornography and violent images, 
white-collar crime of various kinds, extremist or racist statements, 
copyright infringements, illegal arms trading and - since April 1, 2007
- spam.

White-Collar Crime is on the Rise

In 2006 Kobik received 7,345 tip-offs from the public. 40 percent of the 
contents are hardcore pornography including child pornography, 24 
percent spam, 9 percent pornography in general, 4 percent white-collar 
crime, 2 percent copyright infringement and 1 percent racial 
discrimination. The steady rise in white-collar crime is striking - the 
figures double every year.

"White-collar crime on the internet" is a very broad term that covers a 
multitude of offences: "phishing", money laundering, fraudulent escrow 
services (internet fiduciary services), misuse of credit card data, 
illegal data acquisition and countless other types of fraud. All the 
criminals behind these offences work in the same way: They spy on 
internet users in order to line their own pockets. This is a serious 
problem for banks and other financial institutions in Switzerland.

Software Looks for Clues

Nine members of staff at Kobik are responsible for uncovering criminal 
activity of this kind. They work in three separate areas: Monitoring, 
Clearing and Analysis. They are supported by all those who use the 
appropriate form to provide information about suspicious internet 

"Every tip that we receive appears immediately on the screens of the 
five Monitoring staff," explains Roger Kffer, Head of Monitoring. 
Initially the reports are processed by a special program. The software 
saves the reported data and automatically finds out which computers are 
being targeted via a particular address - and, most importantly, who is 
registered as responsible for the computer. "We only follow up cases 
that have a link with Switzerland." This means either that the 
"suspicious" computer is located in Switzerland or that the address is 
registered in the name of a Swiss citizen. Reports that point to foreign 
providers are passed on selectively to the countries in question.

Spam: When Victims Become Offenders

Around 20 percent of all messages received are spam. There is a new spam 
analyzer for tip-offs of this kind under kobik.ch. This tool identifies 
the relevant internet provider at the press of a button. If the provider 
is Swiss - Cablecom for example - the victim can report the case to 
Cablecom. Providers are obliged by law to prevent unsolicited mass 
advertising. "This analysis tool gives users the opportunity to defend 
themselves and shows them where they can get help," summarizes Kffer. 
But users aren't just victims - often they are offenders without even 
knowing it. The user's computer can be hijacked and infected with 
viruses or Trojan horses. Each time that the PC is switched on, it 
automatically transmits spam messages - you could almost say "by remote 
control." A network of these infected PCs is known as a "botnet."

Chat Forums Deliver Tip-Offs

The name "Coordination Unit" doesn't really do Kobik justice. "A key 
part of our day-to-day work is generating cases." "Generating" in this 
context means actively searching the internet for criminal activity. The 
topic is clearly prescribed by the body that governs Kobik's activities: 
child pornography. It's immediately clear that network and research 
specialists are at work here. "We know exactly what we're looking for 
and where to find it." However, the investigators don't have an entirely 
free hand. Monitoring is only permitted in the public sphere - 
password-protected areas are off limits. Entrapment is also forbidden - 
as is investigation under false pretenses. The monitoring of chat forums 
therefore requires a great deal of time and sensitivity. "We know and 
observe that a great deal of illegal activity goes on in chatrooms and 
therefore work closely together with the chatroom operators. Bluewin, 
for example, has more than 300 volunteers who monitor chatrooms 
intensively." Any suspicious activity is then reported to Kobik.

Patrolling the Data Highway

But where do most incidents occur? "Mainly in peer-to-peer (P2P) 
networks." "Gnutella," "Fast Track" and "eDonkey" for example are 
well-known P2P networks. Countless images and other items of information
- including child pornography - are passed along these sections of the 
data highway. "Here we pick up between 30 and 40 cases per month."
Kffer demonstrates how quickly and irrevocably a blow can be landed - 
even though there are several million surfers on the net at this 
moment. He enters his query based on its relevance to Switzerland. He 
keeps the search term secret - this is inside information. The list of 
hits is long and misleading at first glance, because not every hit 
points to an offender. Figuring out who is an offender and who is not 
is a key part of the work. Experience helps.

Suspicious activity. Now what?

After all the tip-offs and suspicions with a link to Switzerland have 
been secured in a form that can be used in court, the dossiers are 
passed to Kobik's Clearing unit. These three employees check the reports 
to determine their relevance under criminal law and then pass the 
suspicious cases on to the responsible prosecuting authorities in the 

Over the past year Kobik has examined 280 suspicious cases, 79 percent 
of which were taken further by the police. That's around 221 arrests 
over the year. In other words, Kobik's nine employees uncover one 
offender every second day - "clerical work" that's really worthwhile.

Related Links: www.kobik.ch

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com