Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support)
Published on April 8, 2016 09:38 UTC by GovCERT.ch (permalink)
Last updated on April 8, 2016 10:16 UTC
With this blog post we would like to share Indicators Of Compromise (IOCs) related to the attacks against 20min.ch, a popular newspaper website in Switzerland which got compromised and abused by hackers to infect visitors with an ebanking Trojan called Gozi ISFB. The IOCs shared in this blogpost may be used to spot infections within corporate networks.
The compromise of 20min.ch is just one part of a bigger malvertising campaign that is targeting Swiss internet users since at least spring 2015, The goal of the campaign is to infect Swiss citizens with Gozi ISFB and committing ebanking fraud (see
Swiss Advertising network compromised and distributing a Trojan and Gozi ISFB - When A Bug Really Is A Feature). MELANI / GovCERT.ch is aware of thousands of computers that got infected by Gozi ISFB in the past months and subsequently were used to access ebanking accounts without the victim’s consent.
We are aware that this Gozi campaign is not only targeting Swiss citizens, but also corporate bank accounts of small- and medium businesses in Switzerland. We therefore recommend SMBs in Switzerland to review their IT-Security arrangements accordingly (see our recommendations at the end of the blog post).
Below is a list of IOCs associated with this Gozi ISFB campaign.
Exploit Kit infrastructure (used to distribute Gozi ISFB):
Gozi C&C DGA domains:
Gozi C&C IP address:
Gozi bootstrap server:
The infection chain is as follows:
We are notifying Internet Service Providers (ISPs) and network owners in Switzerland about Gozi infections in their IP space that we become aware of. If you get informed by your ISP about such an infection, we highly recommend you to clean up the infected machine by reinstalling the operating system. Please consider that not all Antivirus software is able to spot a Gozi infection. Hence a full reinstall of the operating system is recommended.
You can find further documentation how to prevent getting infected by malware below.
For end users:
Informationen für Private
Informations pour des utilisateurs privés
Informazioni per privati
For small and medium businesses:
Merkblatt IT-Sicherheit für KMUs
Sécurité informatique: aide-mémoire pour les PME
Promemoria sulla sicurezza informatica per le PMI
Further reading on this Gozi campaign:
Swiss Advertising network compromised and distributing a Trojan
Gozi ISFB - When A Bug Really Is A Feature
Back to top