Secure Websites

Fighting internet crime on websites with .ch and .li domain names

List of contents

The link between domain names and internet crime

The use of websites or domain names for criminal purposes is one of the greatest threats lurking on the internet. Criminals may manipulate websites to spread malware and carry out phishing activities. They can also register domain names specifically for criminal activities, such as selling products of inferior quality through fraudulent webshops. Sites with .ch and .li domain names are vulnerable, too.

Relevance to you as owner of domain names or websites

Unfortunately, your website could also be manipulated for criminal activities with code written specifically for this purpose smuggled onto your server. This is something you and your website visitors are unlikely to notice.
If your website is reported to SWITCH as infected, we will send you an email asking you to remove the malicious code within 24 hours. The procedures for combating malware and phishing are explained further down.

Detailed information on risks and prevention can be found on the Safer Internet website.

SWITCH is in charge of the security of .ch and .li domain names

One of SWITCH's primary tasks is to provide a secure internet in Switzerland and Liechtenstein. In accordance with the Ordinance on Internet Domains (OID), SWITCH is authorized and in certain cases even obligated to block domain names in the event of misuse and to revoke (delete) them if need be.

Combating malware and phishing on .ch and .li websites
Legal basis: Article 15 OID; point 3.2.3 General Terms and Conditions.
Brief explanation: SWITCH receives numerous reports of websites that may be infected. We then look into these cases. If we discover harmful content, SWITCH will notify the holder of the domain name so that they can remove the malicious code. If they do not comply, SWITCH will block the domain name and the website will no longer be accessible. You can find further details below.
The same procedure applies to .li domain names. This procedure is based on SWITCH's General Terms and Conditions.

Cooperation with government agencies (administrative assistance)
Legal basis: Article 16 OID; point 3.2.3 General Terms and Conditions.
Brief explanation: Swiss government agencies will contact SWITCH if they are unable to contact the holder of a domain name. SWITCH will ask the holder to provide a valid address in Switzerland and proof of their identity. If they do not comply, the domain name is deleted. You can find further details below.

Combating malware and phishing

What are malware and phishing?

The term "malware" generally refers to harmful (malicious) software, such as viruses, trojans, worms, and cryptominers. Each day, criminals hack thousands of websites and make changes to them that go unnoticed. This creates a serious risk that computers used to visit one of these sites will themselves become infected with malware.

Phishing involves attempts to steal passwords and other sensitive information by luring users to fake websites, for example. Criminals can use this stolen information to log into online services, such as social media, email accounts, e-banking, webshops, etc. and then use their victims' identities to carry out fraudulent or unauthorised transactions.

For detailed information, visit the Safer Internet website.

What SWITCH is doing about it: procedure and deadlines

Websites with .ch and .li domain names are also vulnerable to misuse by criminals for phishing and the spreading of malware. Each day, SWITCH receives dozens of reports from a range of different sources about websites that may be infected. We then look into these cases. If we discover malware code or signs of phishing, SWITCH will send an email to the holder of the domain name asking them to remove the malicious code within 24 hours. The registrar, the hosting provider and the technical contact are informed as well. If the harmful content is not removed within one working day, SWITCH will block (deactivate) the corresponding domain name so that the fraudulent website will no longer be accessible and cannot be used to steal personal information or to spread malware.

In accordance with the OID, the block can be imposed for five working days. At the request of an OFCOM-accredited agency, the block can be extended. Otherwise, SWITCH must put the website back online. Upon reactivation, SWITCH will notify the holder to present proof of their identity within 30 days along with a correspondence address in Switzerland. If the holder does not respond to this request in due time, SWITCH will delete the corresponding domain name.

This document describes the procedure and deadlines in detail.

What should I do if I receive an email from SWITCH with the subject line "Misuse of your website"?

These emails are sent from the address cert@switch.ch. If you receive one of these emails, it is important that you act immediately, because it means that harmful content has been found on your website. The email will contain a link to a website with details about the harmful content. You must identify and remove it immediately. If you cannot do this yourself and/or the information in the email is unclear, please contact your hosting provider or webmaster.

Cooperation with government agencies (administrative assistance)

Swiss government agencies will contact SWITCH if they need a valid Swiss correspondence address from a domain name holder. There are various reasons for this. Usually, it relates to domain names of potentially unlawful websites, such as fraudulent webshops. The holders of these domain names are usually registered with fake or foreign addresses. SWITCH will ask the holder to provide a valid address in Switzerland and proof of their identity. If they fail to do so within 30 days, the domain name will be deleted. If the holder provides the requested information, it will be passed on to the requesting government agency.

Fraudulent webshops

Fraudulent webshops are one of many current threats on the internet. These professional-looking online shops sell items like sneakers or handbags from well-known brands at massively discounted prices. Internet users who visit these webshops are exposed to several risks: they provide their credit card information along with email and postal addresses to criminal organisations. After making payment, they receive merchandise of inferior quality — if they receive anything at all.

In the course of the procedures described above, SWITCH can also take action against fraudulent webshops.

To learn more about fraudulent webshops, visit the iBarry website.

Who to contact

Have you received a suspicious email or discovered a strange webshop?

Have you discovered strange content on your own website or have users brought such content to your attention?

    • Please contact your hosting provider or webmaster immediately. More information for domain name holders and website administrators can be found on the Safer Internet website.