Home Tags Indonesia

Tag: Indonesia

APAC accounted for majority of botnet detections globally

Asia-Pacific contributed more than 50 percent of total botnet detections in the second half of 2016, with the Philippines, Indonesia, India, Thailand, and Malaysia among top 10 countries.

In-the-wild exploits ramp up against high-impact sites using Apache Struts

Hackers are still exploiting the bug to install malware on high-impact sites.

Mobile malware evolution 2016

In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights continued.

Throughout the year it was the No. 1 threat, and we see no sign of this trend changing.

The “EyePyramid” attacks

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions. The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy.

These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank. The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer. During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims.

All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals. Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008. Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero. Investigation Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data. Excerpt from the Italian court order on #EyePyramid(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf) Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow: E-mail Addresses used for exfiltration gpool@hostpenta[.]com hanger@hostpenta[.]com hostpenta@hostpenta[.]com purge626@gmail[.]com tip848@gmail[.]com dude626@gmail[.]com octo424@gmail[.]com tim11235@gmail[.]com plars575@gmail[.]com Command-and-Control Servers eyepyramid[.]com hostpenta[.]com ayexisfitness[.]com enasrl[.]com eurecoove[.]com marashen[.]com millertaylor[.]com occhionero[.]com occhionero[.]info wallserv[.]com westlands[.]com Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples. Here’s how our initial “blind”-written YARA rule looked like: rule crime_ZZ_EyePyramid { meta: copyright = ” Kaspersky Lab”author = ” Kaspersky Lab”maltype = “crimeware”filetype = “Win32 EXE”date = “2016-01-11”version = “1.0” strings: $a0=”eyepyramid.com” ascii wide nocase fullword$a1=”hostpenta.com” ascii wide nocase fullword$a2=”ayexisfitness.com” ascii wide nocase fullword$a3=”enasrl.com” ascii wide nocase fullword$a4=”eurecoove.com” ascii wide nocase fullword$a5=”marashen.com” ascii wide nocase fullword$a6=”millertaylor.com” ascii wide nocase fullword$a7=”occhionero.com” ascii wide nocase fullword$a8=”occhionero.info” ascii wide nocase fullword$a9=”wallserv.com” ascii wide nocase fullword$a10=”westlands.com” ascii wide nocase fullword$a11=”″ ascii wide nocase fullword$a12=”″ ascii wide nocase fullword$a13=”″ ascii wide nocase fullword$a14=”″ ascii wide nocase fullword$a15=”″ ascii wide nocase fullword$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword$a20=”gpool@hostpenta.com” ascii wide nocase fullword$a21=”hanger@hostpenta.com” ascii wide nocase fullword$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword$a23=”ulpi715@gmx.com” ascii wide nocase fullword$b0=”purge626@gmail.com” ascii wide fullword$b1=”tip848@gmail.com” ascii wide fullword$b2=”dude626@gmail.com” ascii wide fullword$b3=”octo424@gmail.com” ascii wide fullword$b4=”antoniaf@poste.it” ascii wide fullword$b5=”mmarcucci@virgilio.it” ascii wide fullword$b6=”i.julia@blu.it” ascii wide fullword$b7=”g.simeoni@inwind.it” ascii wide fullword$b8=”g.latagliata@live.com” ascii wide fullword$b9=”rita.p@blu.it” ascii wide fullword$b10=”b.gaetani@live.com” ascii wide fullword$b11=”gpierpaolo@tin.it” ascii wide fullword$b12=”e.barbara@poste.it” ascii wide fullword$b13=”stoccod@libero.it” ascii wide fullword$b14=”g.capezzone@virgilio.it” ascii wide fullword$b15=”baldarim@blu.it” ascii wide fullword$b16=”elsajuliette@blu.it” ascii wide fullword$b17=”dipriamoj@alice.it” ascii wide fullword$b18=”izabelle.d@blu.it” ascii wide fullword$b19=”lu_1974@hotmail.com” ascii wide fullword$b20=”tim11235@gmail.com” ascii wide fullword$b21=”plars575@gmail.com” ascii wide fullword$b22=”guess515@fastmail.fm” ascii wide fullword condition: ((uint16(0) == 0x5A4D)) and (filesize < 10MB) and((any of ($a*)) or (any of ($b*)) )} To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks. Once the YARA rule was ready, we’ve ran it on our malware collections.

Two of the initial hits were: MD5 778d103face6ad7186596fb0ba2399f2 File size 1396224 bytes Type Win32 PE file Compilation Timestamp Fri Nov 19 12:25:00 2010 MD5 47bea4236184c21e89bd1c1af3e52c86 File size 1307648 bytes Type Win32 PE file Compilation timestamp Fri Sep 17 11:48:59 2010 These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections. At the end of this blogpost we include a full list of all related samples identified. Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses. Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails.

For example: From: Di Marco GianmariaSubject: ricezione e attivazioneTime:2014/01/29 13:57:42Attachment: contatto.zip//Primarie.accdb (…) .exe From: Michelangelo GiorgianniSubject: R: Re: CONVOCAZIONE]Time: 2014/01/28 17:28:56]Attachment: Note.zip//sistemi.pdf (…) .exe Other attachment filenames observed in attacks include: Nuoveassunzioni.7z Assunzione.7z Segnalazioni.doc (…) 7z.exe Regione.7z Energy.7z Risparmio.7z Pagati.7z Final Eight 2012 Suggerimenti Uso Auricolari.exe Fwd Re olio di colza aggiornamento prezzo.exe Approfondimento.7z Allegato.zip Eventi.bmp (…) .exe Quotidiano.mdb (…) _7z.exe Notifica operazioni in sospeso.exe As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment.

The attachments were ZIP and 7zip archives, which contained the EyePyramid malware. Also the attackers relied on executable files masking the extension of the file with multiple spaces.

This technique is significant in terms of the low sophistication level of this attack. High profile victims Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi. It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted. Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers.

Further standout victims, organizations, and verticals include: Professional firms, Consultants Universities Vaticano Construction firms Healthcare Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland. Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015. Conclusions Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data. In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence. This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims. As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations. Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught. Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts: HEUR:Trojan.Win32.Generic Trojan.Win32.AntiAV.choz Trojan.Win32.AntiAV.ciok Trojan.Win32.AntiAV.cisb Trojan.Win32.AntiAV.ciyk not-a-virus:HEUR:PSWTool.Win32.Generic not-a-virus:PSWTool.Win32.NetPass.aku A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services.

Contact: intelreports (at) kaspersky [dot] com
. To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings References and Third-Party Articles Indicators of Compromise Hashes: 09ff13b020de3629b0547e0312a6c135102bccd95e5d8a56c4f7e8b902f5fb7112f3635ab1de63fbcb5e1c492424c6051391d37c6b809f48be7f09aa0dab76571498b8d6e946b5d6b529abea1359238114db577a9b0bfc62f3a25a9a51765bc517af7e00936dcc8af376ad899501ad8b192d5866cbfafae36d5ba321c817bc14325f5d379c4d091743ca8581f15d329536bd8feed1b17c59f3c653e6427661a4380b0f1921fed82e1b68b4e442b04f053c30f0114c600510fdb2573cc48d5c063fed695e2a6e63d971c16fd9e825fec547bea4236184c21e89bd1c1af3e52c8647dd1e017aae694abd2b7bc0b12cf1da47f1f9b1339147fe2d13772b4cb8103053b41dc0b8fd9663047f71bc91a317df5bc1b8c07c0f83d438a3e891dc3899545eb17f400f38c1b65990a8d60c298d956de1e478301d59ac14b8e9636b53815d75621de46a12234af0bec15620be6763778d103face6ad7186596fb0ba2399f2859f60cd5d0f0fbd91bde3c3914cbb188afb6488655cbea2737d2423843ea0779173aefe64b7704510c873e2ce7305e092c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da594eff87eca2f054aa5fbc1877a6cf91998825a1ce35f46d004c0839e87cc27789b8571b5281f3751750d3099049098e09c57839b3f8462bd6c2d36db80cd5ecc9d3ce3246975ae6d545ee9e8ba12d1649d4b46d3c389e0144238c821670f8537a41c5374a14a2c7cbe093ff6b075e8acb39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4bcfd544df7d8e9a2efe9d2ed32e74cadc0243741bfece772f02d1657dc057229c38e9edc0e4b18ff1fc5b61b771f7946ce76b690dc98844c721e6337cd5e7f4bcf391937d79ed6650893b1d5fbed0604d8432ddec880800bfa060af1f8c2e405eb604e7e27727a410fc226196c13afe9fafd293065daf126a9ad9562fc0b00b2 Related hashes identified by @GaborSzappanos: 014f69777d2e0c87f2954ad252d5281002965c8a593989ff7051ec24736da6bd04b3c63907c20d9be255e167de89a39804e949f64e962e757f5bb8566c07800b06e47736256c54d9dd3c3c533c73923e09ff13b020de3629b0547e0312a6c1350a80fd5abf270ddd8080f935058546840b3c1ff3b3b445f46594227ca2babdcd0c33c00a5f0f5bde8c426c3ce376eb110ded0389cbddeeb673836794269ffb3b0e19913ce9799a05ba97ac172ec5f0bc11062b36893c4ba278708ec3da07b1dd12b4d543ae1b98df15c8712d888c54f01334a7df1e59380206841d05d840077814cb305de2476365ef02d2226532dd341748c33cb5ac6f26d55cd1a58b68df8a18e24ef2791030693a4588bfcae1dec0192d5866cbfafae36d5ba321c817bc141b4d423350cd1159057dd7dbef4793281deb28ae7b64fb44358e69e5afd1f6002222a947ebccc8da16badeacca05df4b23beed8aaac883a5902039e6fd84ee5f2485e7ae3e0705898b7787ed0961878d2642990a46c434e7787a599f04742a32268698314c854bc483d05ffe459dc5402866ced99b46b39838f56fbe704d387b2896ae0489451d32f57c68b919b3fa7228ba7d1a4c5d64a65f2f2bf5f6ced12328e65b9577abaabf3f8c94d9fda50fc52a809644e6d07dc9fc111804a62b808930215197622f5c747fc869992768d9c6325f5d379c4d091743ca8581f15d329533890f9268023cd70c762ad2054078c73673c155eb6a0bd8a94bea265ebb8b76369cd42dfabea188fa57f802a83b55d9380b0f1921fed82e1b68b4e442b04f053a0af8bba61734b043edc0f6c61cd1893c30f0114c600510fdb2573cc48d5c063db711afc09c0a403a8ccff6a8a958df3e4365b079239b0a2451f48f337613323ebbae038d7bf19baa1bcfbc438bb5e73fed695e2a6e63d971c16fd9e825fec53ffcd0eedd79a9cc79c2c4a0f7e04b214025834a88dcfba3ed1774068c64c546417593eaf61d45e88adbad259d5585d0422fe9c78c71fb30d376e28ad1c4188444d91f49f261da6b1f183ea131d12a7f45dde4082c0407b9904c5f284080337f47bea4236184c21e89bd1c1af3e52c864a494c20bcfb77afd06908eb5a9718cb53b41dc0b8fd9663047f71bc91a317df5523aa1d4ee5f19522299be6f1111b895627cb8752c4c0774f822ccf8f1363eb56499e0b590857f73bb54f500008c656568895c8340a88316fdc0d77a7f2a91d5847072fd4db9e83d02d8b40a1d678505accd89d6483dec54acc7b1484dfbace5b5f3f65b372f9e24dbc50b21fe31f815bc1b8c07c0f83d438a3e891dc389954622fb530276a639892398410de03d05163d9e7cca593360411b5d05a555d52f36648a255610c5f60f580098bbc1d387c690cdf20faf470f828fe468a635da34e6c25a0974a907d368372ac460d8261d66c5693df933924e8a633ccfd7ef2635d6ff7876db06d9102786ae0e425aeaf3770882709d86e2a7396779f4111cd02e370f094e347d4088573c9af34430a3cd672ffb3418d3cde6fdef16b5b5db01127734cfa84d68506fe6e74eb1b038d9c707633748203b705109ededadfbe08dcfa778d103face6ad7186596fb0ba2399f277c2a369d0850c7a75487e8eee54b69e78b7d1caa4185f02b1c5ef493bf795297971c90d7533f2c69e33f2461434096a7aad90ce44e355f95b820fb59c9f5d567bf348005958658ba3fcf5ccb3e2ae227cddc3b26bb8f98e9b14d9c988f36f8f81624dc108e2d3dc712f3e6dd138736a820ca39f331f068cca71e7a7c281e4ac84c14a1327ae7c0e5a07a67a57451cc4860f607dbd0d6a2dc69cbc4f3b0eeeaf889c86aaf22876516964eafa475a2acd88c31f3b589d64a275608f471163989c89368652dc98b13f644ec2e356c7707c89696dbead484bf948c1dd86364672eb898150dea4d7275f996e7341463db21f8b27bcfa38205754c8e5fdf6a509d60e8f419bca20b767b03f128a19b82611ab915cc3c9c8cb8e200dbe04e425e7018b92c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da598825a1ce35f46d004c0839e87cc277898b1157b9f3f3ec183bf322615f1ce419b19729531bf15afc38dd73bcc0596f89c99ecf33301e4cafdd848a7d3d77ef99cf08b15724e0eaf69a63e47690cdee2a16d8cf9a7a52e5c2ad6519766ae6b92a35312a5c0b06ee89ddadaea9ca6bad2a4c551ec6d3b5ab08a252231439e099fa615a4f5e93a63682a8f25b331f62882a6c29f9680fe5ae10a9250e5431754d4ab71ca072d4b526e258c21bd84ec0632ac6fa4005e587ac4b3456a14bd741ff0afab0fcbf8bc6595f9f2c0051b975a4eb1ddec2f71727dcf747e1d385272e24db2a756f557d273d81a61edc9fbfc9dafb2e1663647addc92bf253f389ac98027b39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4b6e86ac7d3bbedf18b98437df49c1b60b70ddb9f6e4e2c85e80cf2079b10e762b89a8d3442d96161cef07552116407c3bb2a0aee38980aeb39cac06677936c96bc333001d3f458ff8fde9d989b53e16dbd7a2b795419c0b842fd041eaac36d7fbf850dcb074e0cf2e30fbee6bfaa4cd9c0d4e5ba26ef3c08dc1a29ac7496f015c38832f484645b516b57f6813c42d554c4abb3210f26d4a15a0d4fd41b47ee0ec547a30fa39f22e2093b51ed254bb1c2c69c370fcb7b645aaac086b2a3b18286c7ef4c7b12b5ad8198dafc58c4bea2a3c97ef1f13bf3d74c78f50fa7abe7766bca010bcdfe3c4965df0c6bc12b40db76ca243796e79c87c55f67a61bc3ee8ddcca9a7c6b231fadfae3466da890b434c5cf391937d79ed6650893b1d5fbed0604cf3b3c796114f6908a35542d4fd02b0ed034810ddab55c17dcddd2c2990b3ef3d1273537add3f2282391726489c65e38d20487e2d2f674bfd849cb8730225dded8432ddec880800bfa060af1f8c2e405d864ad5030d354c1e40a873a335b2611dac10dcede69eb9b4ccce8e6798f332cdb95221ebed1793bf5b5527ecb52eb0cdc64307ef67177449b31c6bb829edbf2dd734c07b94c8685bb809f83876c7193e0e862dbf001eb4a169d3340c200b501e727b444a6a9fa9d40a34a9508b1079fe7539ed9616b61c12028a663c298f6bee78ed9fac4f3e9b443abd02bfa9f3db2e85ff9e3a27899b0d1de8b958af5ad90eb604e7e27727a410fc226196c13afe9eba8aa2572cf0d6ccdf99c34cc26b6f3ec21252421f26072e9fe75586eb6b58aee9435593494f17f3efc3a795c45482eeeca6409dcf0e46d0182d53d230c701deff2d3f9f56e9aabcf970c4c09fe7ef8f0b61a531a72f0cc02d06d2ebfb935abf1a037e2edc5ddf4db4e1e7fcd33d5fbf3802442727c0b614482455d6ad9edc2f41be516fa8da87a269845c9ea688749f7d4742d2e746962440bf517b261f126f96335bf0512c6e65ea374a844ab7cebf9b4459f18ca9d2974cf5a58495c5879fa4266c305aa75a133ebae2a4dcc9b75fafd293065daf126a9ad9562fc0b00b2 Backdoor Filenames: pnbwz.exepxcfx.exeqislg.exerqklt.exerunwt.exeruzvs.exervhct.exevidhdw.exewinlng.exewxrun.exexddrv.exexdwdrv.exe Malicious attachments filenames (weak indicators): contatto.zip//Primarie.accdb (…) .exeNote.zip//sistemi.pdf (…) .exeNuoveassunzioni.7zAssunzione.7zSegnalazioni.doc (…) 7z.exeRegione.7zEnergy.7zRisparmio.7zPagati.7zFinal Eight 2012 Suggerimenti Uso Auricolari.exeFwd Re olio di colza aggiornamento prezzo.exeApprofondimento.7zAllegato.zipEventi.bmp (…) .exeQuotidiano.mdb (…) _7z.exe

Computop and AsiaPay Partner to Enable Retailers to Safely and Effectively...

Bamberg and Hong Kong – December 15, 2016 – Computop, a leading payment service provider, and AsiaPay, one of Asia-Pacific’s most distinguished payment service providers, today announced their new strategic partnership.

The relationship enables retailers to securely process payments in Asia-Pacific through Computop’s Paygate payment gateway using the payment methods that consumers in the region prefer and trust, helping to positively impact sales and the overall customer experience.A recent e-Marketer report noted that Asia-Pacific will remain the world’s largest retail e-commerce market, with sales expected to top $1 trillion in 2016 and more than double to $2.725 trillion by 2020.

Findings also noted that the region will see the fastest rise in retail e-commerce sales, increasing 31.5% this year.
In addition, according to a study by Kantar TNS, Asia-Pacific is leading the world in mobile payment with over half (53%) of connected consumers using their mobile phones to pay for goods or services at the point-of-sale via apps.

As such, the Computop and AsiaPay partnership enables retailers to capitalize on the growth opportunity that Asia-Pacific presents. “Expanding business into foreign markets may seem daunting, but working with companies that have a strong foothold in those regions and that understand the payment behaviors and preferences of consumers in those countries is key to retailer success,” said Ralf Gladis, CEO of Computop. “Through our partnership with AsiaPay, Computop is able to provide merchant customers with the opportunity to take advantage of Asia-Pacific consumers’ appetite for e-commerce. With Computop Paygate integrated with AsiaPay, retailers benefit from the secure payment options that southeast Asian consumers expect and trust.” “We are very honoured to be a strategic partner of Computop,” said Joseph Chan, CEO of AsiaPay. “Our company has more than 16 years of experience in credit card processing and international business service, giving us a solid position as a premier e-Payment player in the region.

Furthermore, we have a keen understanding of merchants’ payment requirements in the fast-paced e-commerce business environment. We believe that a strategic cooperation with Computop can help merchants improve their processing efficiency, thereby contributing to their business growth as well as support their global endeavor,” he added. Founded in 2000, AsiaPay offers secure and cost-effective electronic payment processing solutions and services to banks and e-businesses globally.

The company offers a variety of card payments, online bank transfers, e- wallets and cash payments across over 16 countries, including Hong Kong, China, India, Indonesia, Malaysia, Singapore, Philippines, Taiwan, Thailand and Vietnam.
It is a certified international 3-D secure vendor for VISA, MasterCard, American Express and JCB. Computop Paygate is a PCI-certified omnichannel payment platform that provides retailers with secure payment solutions and efficient fraud prevention for international markets.

Computop integrated AsiaPay into Paygate to offer merchants a wide range of payment methods in the Asia-Pacific region to support their cross-border and global commerce efforts. Payment methods available on Paygate include Alipay, American Express, JCB, Tenpay and WeChat, along with many other widely-accepted payment options that consumers in these countries use. About ComputopComputop is a leading global payment service provider (PSP) that provides compliant and secure solutions in the fields of e-commerce, POS, m-commerce and Mail Order and Telephone Order (MOTO).

The company, founded in 1997, is headquartered in Bamberg, Germany, with additional independent offices in China, the UK and the U.S.

Computop processes transactions totalling $24 billion per year for its client network of over 14,000 mid-size and large international merchants and global marketplace partners in industries such as retail, travel and gaming.

Global customers include C&A, Fossil, Metro Cash & Carry, Rakuten, Samsung and Swarovski.

Following the recent asset deal with the Otto Group, Computop is now processing payments for merchants that previously used EOS Payment, including all 100 Otto retail brands.
In cooperation with its network of financial and technology partners, which it has expanded over many years, Computop offers a comprehensive multichannel solution that is geared to the needs of today's market and provides merchants with seamlessly integrated payment processes. For further information, please visit www.computop.com. About AsiaPayFounded in 2000, AsiaPay, a premier electronic payment solution and technology vendor and payment service provider, strives to bring advanced, secure, integrated and cost-effective electronic payment processing solutions and services to banks, corporate and e-Businesses in the worldwide market, covering international credit card, China UnionPay (CUP) card, debit card and other prepaid card payments. AsiaPay is an accredited payment processor and payment gateway solution vendor for banks, certified IPSP for merchants, certified international 3-D Secure vendor for Visa, MasterCard, American Express and JCB.

AsiaPay offers its variety of award-winning payment solutions that are multi-currency, multi-lingual, multi-card and multi-channel, together with its advanced fraud detection and management solutions. Headquartered in Hong Kong, AsiaPay offers its professional e-Payment solution consultancy and quality local service support across its other 12 offices in Asia including: Thailand, Philippines, Singapore, Malaysia, Mainland China, Taiwan, Vietnam, Indonesia and India.

For more information, please visit www.asiapay.com and www.paydollar.com. ### For further information, please contact:Jessica MularczykAscendant Communications, for Computop in the U.S.Tel: 508-498-9300E-mail: jmularczyk@ascendcomms.net Charlotte HansonAscendant Communications, for Computop in the UKTel: +44 (0) 208 334 8041E-mail: chanson@ascendcomms.net Valerie SanchezSenior Channel ManagerAsiaPayTel: (632) 887-2288E-mail: valerie.sanchez@asiapay.com Alvin ChanAssociate Director, Sales & MarketingAsiaPayTel: +852-2538 8278E-mail: alvin.chan@asiapay.com

Crims turn to phishing-as-a-service to slash costs and max profits

So says Imperva after trolling the dark web Prefab phishing campaigns cost less to run and are twice as profitable as traditional phishing attacks, according to a new study by security vendor Imperva. Cybercriminals are lowering the cost and increasing the effectiveness of email phishing by buying complete packages of compromised servers and all the other components necessary to run a campaign of phishing attacks.

These so-called phishing-as-a-service bundles are cheaper than trying to cobble together it an email campaign from scratch.

That probably seems obvious to you, but it's useful to see some research confirming it. For one thing, the tactic is driving an across-the-board increase in phishing attacks. Phishing is the starting point for most network and data breaches.
Imperva researchers began their study by going through listings on dark-web marketplaces.

This allowed them to estimate the cost of phishing campaigns and gave them a clearer picture of the business model behind these all-too-commonplace scams. Based on the costs of the studied campaign – which used phishing pages, a spam server, an email list of 100,000 email addresses and access to compromised servers – the overall estimated expenses of an unmanaged phishing scam is about $27.65, Imperva estimates. In addition, they saw that hackers were easily able to hijack compromised webservers for their campaign, which further lowered up-front costs. Based on the researchers’ analysis of costs, PhaaS is about a quarter of the cost and two times more profitable than a traditional unmanaged phishing campaign, which tends to be more labour intensive. Lowering the costs and technology barriers associated with phishing will almost certainly lead to an increase in phishing campaigns, and the number of people falling victim to these cybercrime operations. The ease of purchase and low cost of PhaaS campaigns is highly likely to make frauds that rely on tricking marks into handing over login credentials for sensitive websites even more commonplace, Imperva concludes. “The combination of PhaaS and compromised web servers has significantly lowered the monetary, technological and time investment needed to conduct a successful phishing campaign,” said Amichai Shulman, cofounder and CTO of Imperva. “It’s no longer feasible for enterprises to use the client-side approach of endpoint software to fight phishing attempts, because people continue to click nefarious links in email. One way to slow the attacks is to choke off easy access to compromised servers, which would make the phishing business model more expensive and lower profitability.” Imperva researchers deconstructed a phishing campaign initiated in mid-June, 2016.

The researchers found that people are most likely to take the email phishing bait while at work, rather than at home.

Around a third (35 per cent) of successful phishing attacks were activated between 0900 and noon while victims were at work, busy writing and replying to emails.

The researchers also found that victims were more likely to enter their username and password to open an email attachment – in this case an Adobe PDF file – than to click on a URL in the email before filling in a web form with their login credentials. Imperva researchers were able to link the campaign to an Indonesian hacking group that began its “career” with a series of web defacement attacks against targets in the US, Australia and Indonesia.
In late 2015, the group graduated to money-making hack attacks against online shops that use the Magento e‑commerce system. Two-thirds (68 per cent) of the victim credentials harvested by the group did not exist in previously known public breaches (one-third had been breached in the past). Imperva’s latest Hacker Intelligence Initiative report, Phishing made easy: Time to rethink your prevention strategy?, can be found here [PDF].

An Infographic summarising the main findings of the study is here [PDF]. ® Sponsored: Want to know more about PAM? Visit The Register's hub

That Botnet-of-Things malware is getting a nasty makeover

More bots.

Thanks, Internet of Things.reader comments 29 Share this story Mirai—the malware responsible for creating a massive "botnet" of hacked Internet-connected cameras, digital video recorders, and other devices that interrupted Internet services for many last week—is still in action, according to data from the network security company Arbor Networks.

An ever-shifting army of about 500,000 compromised Internet of Things (IoT) devices is still being controlled by Mirai, based on Arbor's tracking of the malware's communications.

And multiple command-and-control networks are still directing those devices to attack websites and service providers across the Internet.

But as previously predicted, new and improved versions of the Mirai malware—based on the openly-published source code Mirai's alleged author posted on September 30—are now appearing in the " and wreaking additional havoc. In a blog post, Roland Dobbins, Principal Engineer on Arbor's ASERT Team, noted that "relatively high concentrations of Mirai nodes have been observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain." Devices that are vulnerable to Mirai takeover, he noted, "are typically listening for inbound telnet access on TCP [port] 23 and TCP [port] 2323," and compromised devices communicate via "a remote-control backdoor" that is also present in Mirai, "accessible via TCP/103." Mirai botnets constantly scan the entire Internet for vulnerable devices, so even when a device is rebooted or reset, it can be compromised all over again within 10 minutes. Dobbins also noted that "multiple threat actor groups are actively working to expand and improve" the attacks that were coded into Mirai, and that "some alterations in the DDoS attack capabilities of at least one Mirai-derived botnet have been observed in the wild." In a Skype call with Ars, Dobbins said, "It's a minor enhancement to one of the existing [Mirai] attacks." He couldn't give detail about the enhancements, but he added that "multiple groups are working to enhance and customize Mirai." The original Mirai code is capable of a variety of attacks against DNS services and websites, in addition to more generic network "flood" attacks based on the TCP, UDP, and Generic Routing Encapsulation protocols. Mirai accounted for most of the attack on Dyn's DNS service on October 21, and was part of earlier attacks on security reporter Brian Krebs' site and on French cloud provider OVH.

Those attacks measured over 600 gigabits per second and over 1.5 terabits per second at their peaks, respectively. While the total volume of traffic thrown at Dyn hasn’t yet been publicly released, Level 3 Communications chief security officer Dale Drew said in a Twitter conversation that the numbers had been shared with major network operators.

Drew told Ars in a separate conversation that "tens of millions" of distinct devices were involved in the Dyn DoS attack, and that some of them were clearly not Mirai-infected devices; not all of the devices were necessarily active at the same time. Dobbins wrote that the "potential collateral impact of DDoS attacks launched by the Mirai botnet can be highly significant." The outbound traffic from hacked devices—including attacks against intended targets and scanning for other vulnerable devices—could crimp the network bandwidth of even major broadband ISPs, causing outages for customers. Given the wide availability of the code, it's fairly certain that even more Mirai variants will emerge—and make their presence felt as the holidays approach.

Criminal botnet operators will likely use Mirai's success as a way to extract blackmail payments from online retailers and banks with threats of interfering with online shopping.
Stopping (or at least reducing) those attacks will require network operators to work to identify vulnerable or hacked devices themselves and block the command-and-control traffic to them.

Forget malware, crooks are cracking ATMs the old-fashioned way – with...

Blowing up cash machines is blowing up Bank raiders are increasingly turning to explosives in order to break into cash machines. The European ATM Security Team (EAST) reports that ATM explosive attacks were up 80 per cent in the first half of 2016 compared to the same period last year.

A total of 492 explosive attacks were reported, up from 273 during the same period in 2015. The majority were explosive gas attacks, but 110 involved solid explosives. EAST executive director Lachlan Gunn said: "This rise in explosive attacks is of great concern to the industry in Europe, as such attacks create a significant amount of collateral damage to equipment and buildings as well as a risk to life. "The EAST Expert Group on Physical Attacks (EGAP) is working to analyse the attacks and to share intelligence best practice information across the industry and law enforcement that can help to mitigate the threat." For overall ATM-related physical attacks, there were a total of 1,604 incidents recorded in H1 2016, up 30 per cent compared to the 1,232 reported in H1 2015. Losses due to these attacks rose 3 per cent to €27m (up from €26.3m in 2015). The average cash losses were: Ram raid or burglary attack – €17,327 Explosive attack – €16,631 Robbery – €20,017 However, these figures do not take into account collateral damage to equipment or buildings, which often exceeds the value of the cash lost in successful attacks. Skim scams EAST reports [PDF] a 28 per cent increase in ATM-related fraud attacks, up from 8,421 in H1 2015 to 10,820 in H1 2016.

Transaction reversal fraud more than trebled year-on-year from 1,270 to 4,840 incidents, and accounted for the increase in fraudulent attacks, which would otherwise have decreased due to a reduction in card skimming.

Card skimming reports pegged out at 1,573 in H1 2016, down 21 per cent from 1,986 in H1 2015. Losses due to ATM-related fraud attacks rose 12 per cent to €174m in H1 2016 compared to €156m in H1 2015.
International skimming losses (up from €131m in H1 2015 to €142m in H1 2016) explain the rise.

The introduction of Chip and PIN makes it harder to produce counterfeit cards from stolen data, but the same restriction doesn't apply on cards cards outside Europe.

Cards issued in the US and the Asia-Pacific region (particularly Indonesia) are favoured by fraudsters. Attempts to pry open cash machines using malware and similar approaches are also beginning to happen in Western Europe to a very limited extent.

Fraudulent losses are very low from this type of scam which, for now, seems to be restricted to established hot spots such as Mexico and Russia. The number of ATM logical attacks reported to EAST hit 28 (all "cash out" or "jackpotting" attacks) in the first half of 2016, up from just five during the same period in 2015. Related losses were €0.4m. EAST's full report, with breakdowns for each crime category, is available to EAST members and subscribers via its website. ®

Chap cuffed after treating commuters to giant-screen smut

Traffic-stopping hack could mean six years inside under Indonesian 'Immoral act' law Indonesian police have arrested an “IT expert” in South Jakarta after he reconfigured a giant LED video screen to show porn. The mine's-bigger-than-yours grumble-flick was shown in Wijaya last week, according to The Jakarta Post. The man, identified only as “SAR”, was arrested at the offices of an unnamed company in the South Jakarta suburb of Senopati, police chief inspector-general Mochamad Iriawan told the Post. It seems that a security bungle by the screen's operators gave him access: he told the police that he'd managed to take a photograph of the system's username and password, and used that to log in and then went about his business. The police wouldn't confirm that to the Post, because they've so far been unable to find the photograph on his phone. Indonesia's Tribune News (here, but it's got the kind of site script that hangs browsers) says SAR was traced via his IP address.

Both the Post and the Tribune call him an “IT expert”, but someone who makes himself so easy to catch sounds more like “a mug” to Vulture South. The charges aren't trivial: “SAR” will be accused of “immoral acts” under Indonesia's criminal code, and of breaches of the Electronic Information and Transactions Law, and faces a maximum six years in the slammer and a billion-rupiah fine (about US$75,000). News outlet Berita Malam captured the naughtiness at 1:05 in the video below. Youtube Video Well: as a display of public porn it far outbids a mere refrigerator. ®

Telkom Indonesia Appoints HAUD For SS7 Firewall And Managed Services

28 September 2016, Naxxar, Malta - HAUD, the industry leader in mobile network security and revenue assurance, has been selected by Telkom Indonesia to provide A2P SMS monetisation and SS7 security managed services to create new sources of revenue and improve subscriber experience for the operator.The managed service agreement with HAUD ensures that Telkom Indonesia will not miss out on any lost A2P revenue, and its subscribers are protected from spam and fraudulent SMS traffic.

Through its pioneering Revenue-as-a-Service approach, HAUD will manage the entire A2P monetisation process, from traffic identification and blocking, to redirection of traffic to monetisable channels, without requiring any initial investment from the MNO. Telkom Indonesia Appoints HAUD With over 157 million subscribers, Telkom Indonesia is the seventh largest mobile network operator (MNO) in the world.

The agreement follows a successful trial in which HAUD deployed a bespoke firewall solution with 24/7 monitoring and carried out an in-depth traffic audit of millions of SMS messages. HAUD’s mobile network firewall provides modular, 360 degree protection against SS7 security vulnerabilities, fraud and spam SMS, while preventing grey route traffic that bypasses network termination fees.
Its range of packages effectively ring-fence networks from malicious messages, while improving customer experience and revenue assurances. Mårten Björkman, SVP Asia Pacific at HAUD, said: “Revenue-as-a-Service is a new approach to helping operators to make the most of all possible income streams available to them.

The global A2P SMS market is worth billions, but many operators are not equipped to claim their fair share, and routinely lose out on large amounts of revenue due to the ongoing use of grey routes. “Being given this opportunity to work with one of the largest MNOs on the planet is a real vote of confidence in HAUD’s managed service offering. HAUD’s knowledge and experience of the global A2P and fraud landscape can help MNOs like Telkom Indonesia stay in control of their networks with a minimal outlay of resources.” Michael Adiguna, AVP Sales Strategy, Telkom Indonesia, said: “The agreement with HAUD was particularly attractive, and the ability to deliver results almost instantly was impressive. With our revenues maximised and network utilisation improved, we can focus on delivering the quality of service that modern mobile users demand. “With hundreds of millions of messages sent across our network every day, ensuring spam and fraudulent SMS messages are blocked is vital. HAUD’s solution makes sure that the messages our subscribers receive are from genuine, trustworthy sources.” Asia is widely considered the biggest market globally for A2P SMS and HAUD works with a number of other MNOs in the region. With the addition of Telkom Indonesia to its customer base, HAUD is now protecting over 10 per cent of the subscribers in the region. For more information on HAUD, visit www.haud.com. ENDS For media enquiries, please contact:Gearóid Cashman or Amy Cantrill at Tangerine PR+44 161 817 6600haud@tangerinepr.com Notes to editors About HAUD:HAUD provides mobile network operators with a complete service to detect fraud, filter spam and protect revenue. HAUD puts operators in control of their networks with flexible solutions, unrivalled expertise and round-the-clock customer support.

The proprietary technology safeguards revenue from telecommunications traffic, enhancing network security and enriches customer experience. HAUD’s portfolio of modular services and solutions can be deployed in custom configurations, providing operators with flexible and robust protection to meet precise requirements. Headquartered in Malta and with offices globally, HAUD offers traffic audits, system trials and various pricing models.
Visit www.haud.com for further information.

Rooting Pokémons in Google Play Store

A few days ago we reported to Google the existence of a new malicious app in the Google Play Store.

The Trojan presented itself as the “Guide for Pokémon Go”.

According to the Google Play Store it has been downloaded more than 500,000 times. Our data suggests there have been at least 6,000 successful infections, including in Russia, India and Indonesia. However, since the app is oriented towards English-speaking users, people in such geographies, and more, are also likely to have been hit. Analysis reveals that the app contains a malicious piece of code that downloads rooting malware – malware capable of gaining access to the core Android operating system, in this case for the purposes of unsolicited app install and adware. Kaspersky Lab products detect the Trojan as HEUR:Trojan.AndroidOS.Ztorg.ad. At least one other version of this particular app was available through Google Play in July 2016.

Further, we have tracked back at least nine other apps infected with this Trojan and available on Google Play Store at different times since December 2015. Trojan characteristics The Trojan has many layers of defense in place to help it bypass detection.

This includes a commercial packer that decrypts the original executable file to make it harder to analyze.

The unpacked executable file contains useful code related to the malicious Pokémon Go guide, and one small and obfuscated module. Process of infection This small module doesn’t start when the user launches the app.
Instead, it waits for the user to install or uninstall another app, then checks to see if that app runs on a real device or on a virtual machine.
If it turns out that it’s dealing with a device, the Trojan will wait for a further two hours before starting its malicious activity. The first thing it does is connect to its command-and-control (CnC) server and upload data about the device, including country, language, device model and OS version. If the server wants the Trojan to continue it will respond with an ID string. Only if the Trojan receives this ID string will it make its next request to the CnC.
If it doesn’t receive anything, it will wait for two hours and then resubmit the first request.

This feature is included so that the control server can stop the attack from proceeding if it wants to – skipping those users it does not wish to target, or those which it suspects are a sandbox/virtual machine, for example.

Among other things, this provides an additional layer of protection for the malware. Upon receiving the second request, the CnC server will send the Trojan a JSON file with urls.

The Trojan will download this file, decrypt it and execute.
In our case the Trojan downloaded a file detected as HEUR:Trojan.AndroidOS.Ztorg.a.

This file is obfuscated too. After execution, the Trojan will drop and download some more files.

All downloaded files are encrypted and most of them are local root exploit packs for vulnerabilities dating from 2012 to 2015, including one that was previously used by Hacking Team. These other files represent additional modules of the Trojan and are detected by Kaspersky Lab as: HEUR:Backdoor.AndroidOS.Ztorg.c, HEUR:Trojan.AndroidOS.Muetan.b, HEUR:Trojan.AndroidOS.Ztorg.ad, HEUR:Backdoor.AndroidOS.Ztorg.h, HEUR:Backdoor.AndroidOS.Ztorg.j, HEUR:Trojan-Dropper.AndroidOS.Agent.cv, HEUR:Trojan.AndroidOS.Hiddad.c.

And a few clean tools like busybox and chattr. Using these exploit packs the Trojan will gain root access rights to the device. With rooting rights enabled, the Trojan will install its modules into the system folders, silently installing and uninstalling other apps and displaying unsolicited ads to the user. Most of the other apps with this Trojan module available in Google Play had about 10,000 downloads (according to Google Play), but one – “Digital Clock” had more than 100,000 downloads. MD5 of Malicious Files Mentioned in Article8CB3A269E50CA1F9E958F685AE4A073C0235CE101595DD0C594D0117BB64C8C3

Indonesia’s first International ICT event is a resounding success, attracting more...

Vice President of Indonesia opened Communic Indonesia 2016 eventJakarta, Indonesia, 8 September 2016: The organiser of Indonesia’s first major ICT event – Communic Indonesia 2016 – today announced that the inaugural show was a huge hit – with 5,691 trade visitors and 266 exhibitors from 28 countries taking part in the show across four days. The Vice President of Indonesia opens Communic Indonesia 2016 Hosted by PT. Pamerindo Indonesia, a member of Allworld Exhibitions, Communic Indonesia was held at The Jakarta International Expo last week and attracted industry professionals from across the globe, providing a showcase of the latest products and state-of-the-art technologies in 5G, Big Data, the Internet of Things (IoT), Cloud and Security. The show was supported by Indonesia’s Ministry of Communications and Information Technology and opened by Indonesia’s Vice President H. Muhammad Jusuf Kalla.

This created a huge buzz around the exhibition and the conference, with a number of companies such as Telkomsel and CDN Solutions also making exclusive industry announcements. “The feedback we have received from the visitors and exhibitors of Communic Indonesia has been extremely positive, especially in relation to bringing such a huge and diverse technology show to the region” said Victor Wong, Project Director at Singapore Exhibition Services. “This is the first event of its kind in Indonesia and the popularity of it shows just how relevant it is to the region. We look forward to welcoming even more visitors to next year’s show.” The show’s exhibitors – including Samsung, AsiaSat and Infinet Wireless – came from 28 different countries including, Hong Kong, India, Indonesia, Malaysia, Canada, Australia, United Kingdom and the United States of America.
Several solutions showcased were claimed to be critical to accelerating the development of Indonesia’s ICT ecosystem to fulfil the aim of becoming Southeast Asia’s largest digital economy by 2020. In addition to the exhibition, Communic Indonesia also featured a two-day conference with three main tracks; Broadband and IoT, E-Commerce and Satcom, each including plenary sessions, keynote speakers and panel discussions.

Day one alone pulled in 1,926 visitors to the Expo, with the most popular panel sessions and presentations, including ‘Efficient Fiber-to-the-Home (FTTH) Deployment’ hosted by Paul Macaulay, President of the FTTH Council Asia-Pacific and the ‘Power Hub: Provisioning Broadband Networks in Asia’ panel, moderated by Heru Sutadi, Executive Director of the Indonesia ICT Institute. The ICT Summit was co-located with Broadcast Indonesia – an International Digital Multimedia and Entertainment Technology Exhibition & Conference – which provided a platform for top industry leaders to network in one of South-East Asia’s most up and coming markets. Following the success of this year’s show, dates for next year’s show have already been confirmed.

Communic Indonesia 2017 will be held at The Jakarta International Expo, in Kemayoran, from October 25-27, 2017 and will again be co-located with Broadcast Indonesia. - ENDS - If you would like to connect with us on social media, please visit the below links. Facebook: https://www.facebook.com/communicindonesia/?fref=tsLinkedIn: https://www.linkedin.com/groups/7001307Twitter: @CommunicIndo For further information, please contact Jayne Garfitt or Michelle Mahoney at Proactive International PR on +44 1636 812152. Or send an email to jayne.garfitt@proactive-pr.com or michelle.mahoney@proactive-pr.com