By Franziska Vonaesch
The National Coordination Unit for Combating Internet Crime (Kobik) has
been online since January 1, 2003. Kobik acts as a center of competence
for the public, official bodies and internet service providers on legal,
technical and crime-related issues. Practice shows just how competent it
The Federal Office of Police, Department IMC, Section OSINT/Kobik
Monitoring. Even its name reads like a code. Its unobtrusive premises
are located in a residential zone near the Wankdorf Stadium in Berne.
Those who want to come inside need a special pass. Here - behind closed
doors - investigators scan the murky waters of the internet.
They're on the lookout for all kinds of criminal offences. For example,
the distribution of hardcore pornography and violent images,
white-collar crime of various kinds, extremist or racist statements,
copyright infringements, illegal arms trading and - since April 1, 2007
White-Collar Crime is on the Rise
In 2006 Kobik received 7,345 tip-offs from the public. 40 percent of the
contents are hardcore pornography including child pornography, 24
percent spam, 9 percent pornography in general, 4 percent white-collar
crime, 2 percent copyright infringement and 1 percent racial
discrimination. The steady rise in white-collar crime is striking - the
figures double every year.
"White-collar crime on the internet" is a very broad term that covers a
multitude of offences: "phishing", money laundering, fraudulent escrow
services (internet fiduciary services), misuse of credit card data,
illegal data acquisition and countless other types of fraud. All the
criminals behind these offences work in the same way: They spy on
internet users in order to line their own pockets. This is a serious
problem for banks and other financial institutions in Switzerland.
Software Looks for Clues
Nine members of staff at Kobik are responsible for uncovering criminal
activity of this kind. They work in three separate areas: Monitoring,
Clearing and Analysis. They are supported by all those who use the
appropriate form to provide information about suspicious internet
"Every tip that we receive appears immediately on the screens of the
five Monitoring staff," explains Roger Kffer, Head of Monitoring.
Initially the reports are processed by a special program. The software
saves the reported data and automatically finds out which computers are
being targeted via a particular address - and, most importantly, who is
registered as responsible for the computer. "We only follow up cases
that have a link with Switzerland." This means either that the
"suspicious" computer is located in Switzerland or that the address is
registered in the name of a Swiss citizen. Reports that point to foreign
providers are passed on selectively to the countries in question.
Spam: When Victims Become Offenders
Around 20 percent of all messages received are spam. There is a new spam
analyzer for tip-offs of this kind under kobik.ch. This tool identifies
the relevant internet provider at the press of a button. If the provider
is Swiss - Cablecom for example - the victim can report the case to
Cablecom. Providers are obliged by law to prevent unsolicited mass
advertising. "This analysis tool gives users the opportunity to defend
themselves and shows them where they can get help," summarizes Kffer.
But users aren't just victims - often they are offenders without even
knowing it. The user's computer can be hijacked and infected with
viruses or Trojan horses. Each time that the PC is switched on, it
automatically transmits spam messages - you could almost say "by remote
control." A network of these infected PCs is known as a "botnet."
Chat Forums Deliver Tip-Offs
The name "Coordination Unit" doesn't really do Kobik justice. "A key
part of our day-to-day work is generating cases." "Generating" in this
context means actively searching the internet for criminal activity. The
topic is clearly prescribed by the body that governs Kobik's activities:
child pornography. It's immediately clear that network and research
specialists are at work here. "We know exactly what we're looking for
and where to find it." However, the investigators don't have an entirely
free hand. Monitoring is only permitted in the public sphere -
password-protected areas are off limits. Entrapment is also forbidden -
as is investigation under false pretenses. The monitoring of chat forums
therefore requires a great deal of time and sensitivity. "We know and
observe that a great deal of illegal activity goes on in chatrooms and
therefore work closely together with the chatroom operators. Bluewin,
for example, has more than 300 volunteers who monitor chatrooms
intensively." Any suspicious activity is then reported to Kobik.
Patrolling the Data Highway
But where do most incidents occur? "Mainly in peer-to-peer (P2P)
networks." "Gnutella," "Fast Track" and "eDonkey" for example are
well-known P2P networks. Countless images and other items of information
- including child pornography - are passed along these sections of the
data highway. "Here we pick up between 30 and 40 cases per month."
Kffer demonstrates how quickly and irrevocably a blow can be landed -
even though there are several million surfers on the net at this
moment. He enters his query based on its relevance to Switzerland. He
keeps the search term secret - this is inside information. The list of
hits is long and misleading at first glance, because not every hit
points to an offender. Figuring out who is an offender and who is not
is a key part of the work. Experience helps.
Suspicious activity. Now what?
After all the tip-offs and suspicions with a link to Switzerland have
been secured in a form that can be used in court, the dossiers are
passed to Kobik's Clearing unit. These three employees check the reports
to determine their relevance under criminal law and then pass the
suspicious cases on to the responsible prosecuting authorities in the
Over the past year Kobik has examined 280 suspicious cases, 79 percent
of which were taken further by the police. That's around 221 arrests
over the year. In other words, Kobik's nine employees uncover one
offender every second day - "clerical work" that's really worthwhile.
Related Links: www.kobik.ch
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com