Home Tags Indonesia

Tag: Indonesia

IT threat evolution Q1 2017. Statistics

According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world.

File antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects.

InfiNet Wireless provides super-fast over-water transmission for Regal Springs fish farms

The solution reduced human intervention, improving employee productivityValletta, Malta. 22 May 2017: InfiNet Wireless, the global leader in fixed broadband wireless connectivity, has provided a cost-effective solution to enable the transmission of voi...

APAC accounted for majority of botnet detections globally

Asia-Pacific contributed more than 50 percent of total botnet detections in the second half of 2016, with the Philippines, Indonesia, India, Thailand, and Malaysia among top 10 countries.

In-the-wild exploits ramp up against high-impact sites using Apache Struts

Hackers are still exploiting the bug to install malware on high-impact sites.

Mobile malware evolution 2016

In 2016, the growth in the number of advertising Trojans capable of exploiting super-user rights continued.

Throughout the year it was the No. 1 threat, and we see no sign of this trend changing.

The “EyePyramid” attacks

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions. The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy.

These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank. The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer. During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims.

All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals. Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008. Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero. Investigation Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data. Excerpt from the Italian court order on #EyePyramid(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf) Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow: E-mail Addresses used for exfiltration gpool@hostpenta[.]com hanger@hostpenta[.]com hostpenta@hostpenta[.]com purge626@gmail[.]com tip848@gmail[.]com dude626@gmail[.]com octo424@gmail[.]com tim11235@gmail[.]com plars575@gmail[.]com Command-and-Control Servers eyepyramid[.]com hostpenta[.]com ayexisfitness[.]com enasrl[.]com eurecoove[.]com marashen[.]com millertaylor[.]com occhionero[.]com occhionero[.]info wallserv[.]com westlands[.]com Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples. Here’s how our initial “blind”-written YARA rule looked like: rule crime_ZZ_EyePyramid { meta: copyright = ” Kaspersky Lab”author = ” Kaspersky Lab”maltype = “crimeware”filetype = “Win32 EXE”date = “2016-01-11”version = “1.0” strings: $a0=”eyepyramid.com” ascii wide nocase fullword$a1=”hostpenta.com” ascii wide nocase fullword$a2=”ayexisfitness.com” ascii wide nocase fullword$a3=”enasrl.com” ascii wide nocase fullword$a4=”eurecoove.com” ascii wide nocase fullword$a5=”marashen.com” ascii wide nocase fullword$a6=”millertaylor.com” ascii wide nocase fullword$a7=”occhionero.com” ascii wide nocase fullword$a8=”occhionero.info” ascii wide nocase fullword$a9=”wallserv.com” ascii wide nocase fullword$a10=”westlands.com” ascii wide nocase fullword$a11=”217.115.113.181″ ascii wide nocase fullword$a12=”216.176.180.188″ ascii wide nocase fullword$a13=”65.98.88.29″ ascii wide nocase fullword$a14=”199.15.251.75″ ascii wide nocase fullword$a15=”216.176.180.181″ ascii wide nocase fullword$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword$a20=”gpool@hostpenta.com” ascii wide nocase fullword$a21=”hanger@hostpenta.com” ascii wide nocase fullword$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword$a23=”ulpi715@gmx.com” ascii wide nocase fullword$b0=”purge626@gmail.com” ascii wide fullword$b1=”tip848@gmail.com” ascii wide fullword$b2=”dude626@gmail.com” ascii wide fullword$b3=”octo424@gmail.com” ascii wide fullword$b4=”antoniaf@poste.it” ascii wide fullword$b5=”mmarcucci@virgilio.it” ascii wide fullword$b6=”i.julia@blu.it” ascii wide fullword$b7=”g.simeoni@inwind.it” ascii wide fullword$b8=”g.latagliata@live.com” ascii wide fullword$b9=”rita.p@blu.it” ascii wide fullword$b10=”b.gaetani@live.com” ascii wide fullword$b11=”gpierpaolo@tin.it” ascii wide fullword$b12=”e.barbara@poste.it” ascii wide fullword$b13=”stoccod@libero.it” ascii wide fullword$b14=”g.capezzone@virgilio.it” ascii wide fullword$b15=”baldarim@blu.it” ascii wide fullword$b16=”elsajuliette@blu.it” ascii wide fullword$b17=”dipriamoj@alice.it” ascii wide fullword$b18=”izabelle.d@blu.it” ascii wide fullword$b19=”lu_1974@hotmail.com” ascii wide fullword$b20=”tim11235@gmail.com” ascii wide fullword$b21=”plars575@gmail.com” ascii wide fullword$b22=”guess515@fastmail.fm” ascii wide fullword condition: ((uint16(0) == 0x5A4D)) and (filesize < 10MB) and((any of ($a*)) or (any of ($b*)) )} To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks. Once the YARA rule was ready, we’ve ran it on our malware collections.

Two of the initial hits were: MD5 778d103face6ad7186596fb0ba2399f2 File size 1396224 bytes Type Win32 PE file Compilation Timestamp Fri Nov 19 12:25:00 2010 MD5 47bea4236184c21e89bd1c1af3e52c86 File size 1307648 bytes Type Win32 PE file Compilation timestamp Fri Sep 17 11:48:59 2010 These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections. At the end of this blogpost we include a full list of all related samples identified. Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses. Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails.

For example: From: Di Marco GianmariaSubject: ricezione e attivazioneTime:2014/01/29 13:57:42Attachment: contatto.zip//Primarie.accdb (…) .exe From: Michelangelo GiorgianniSubject: R: Re: CONVOCAZIONE]Time: 2014/01/28 17:28:56]Attachment: Note.zip//sistemi.pdf (…) .exe Other attachment filenames observed in attacks include: Nuoveassunzioni.7z Assunzione.7z Segnalazioni.doc (…) 7z.exe Regione.7z Energy.7z Risparmio.7z Pagati.7z Final Eight 2012 Suggerimenti Uso Auricolari.exe Fwd Re olio di colza aggiornamento prezzo.exe Approfondimento.7z Allegato.zip Eventi.bmp (…) .exe Quotidiano.mdb (…) _7z.exe Notifica operazioni in sospeso.exe As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment.

The attachments were ZIP and 7zip archives, which contained the EyePyramid malware. Also the attackers relied on executable files masking the extension of the file with multiple spaces.

This technique is significant in terms of the low sophistication level of this attack. High profile victims Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi. It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted. Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers.

Further standout victims, organizations, and verticals include: Professional firms, Consultants Universities Vaticano Construction firms Healthcare Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland. Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015. Conclusions Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data. In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence. This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims. As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations. Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught. Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts: HEUR:Trojan.Win32.Generic Trojan.Win32.AntiAV.choz Trojan.Win32.AntiAV.ciok Trojan.Win32.AntiAV.cisb Trojan.Win32.AntiAV.ciyk not-a-virus:HEUR:PSWTool.Win32.Generic not-a-virus:PSWTool.Win32.NetPass.aku A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services.

Contact: intelreports (at) kaspersky [dot] com
. To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings References and Third-Party Articles Indicators of Compromise Hashes: 09ff13b020de3629b0547e0312a6c135102bccd95e5d8a56c4f7e8b902f5fb7112f3635ab1de63fbcb5e1c492424c6051391d37c6b809f48be7f09aa0dab76571498b8d6e946b5d6b529abea1359238114db577a9b0bfc62f3a25a9a51765bc517af7e00936dcc8af376ad899501ad8b192d5866cbfafae36d5ba321c817bc14325f5d379c4d091743ca8581f15d329536bd8feed1b17c59f3c653e6427661a4380b0f1921fed82e1b68b4e442b04f053c30f0114c600510fdb2573cc48d5c063fed695e2a6e63d971c16fd9e825fec547bea4236184c21e89bd1c1af3e52c8647dd1e017aae694abd2b7bc0b12cf1da47f1f9b1339147fe2d13772b4cb8103053b41dc0b8fd9663047f71bc91a317df5bc1b8c07c0f83d438a3e891dc3899545eb17f400f38c1b65990a8d60c298d956de1e478301d59ac14b8e9636b53815d75621de46a12234af0bec15620be6763778d103face6ad7186596fb0ba2399f2859f60cd5d0f0fbd91bde3c3914cbb188afb6488655cbea2737d2423843ea0779173aefe64b7704510c873e2ce7305e092c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da594eff87eca2f054aa5fbc1877a6cf91998825a1ce35f46d004c0839e87cc27789b8571b5281f3751750d3099049098e09c57839b3f8462bd6c2d36db80cd5ecc9d3ce3246975ae6d545ee9e8ba12d1649d4b46d3c389e0144238c821670f8537a41c5374a14a2c7cbe093ff6b075e8acb39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4bcfd544df7d8e9a2efe9d2ed32e74cadc0243741bfece772f02d1657dc057229c38e9edc0e4b18ff1fc5b61b771f7946ce76b690dc98844c721e6337cd5e7f4bcf391937d79ed6650893b1d5fbed0604d8432ddec880800bfa060af1f8c2e405eb604e7e27727a410fc226196c13afe9fafd293065daf126a9ad9562fc0b00b2 Related hashes identified by @GaborSzappanos: 014f69777d2e0c87f2954ad252d5281002965c8a593989ff7051ec24736da6bd04b3c63907c20d9be255e167de89a39804e949f64e962e757f5bb8566c07800b06e47736256c54d9dd3c3c533c73923e09ff13b020de3629b0547e0312a6c1350a80fd5abf270ddd8080f935058546840b3c1ff3b3b445f46594227ca2babdcd0c33c00a5f0f5bde8c426c3ce376eb110ded0389cbddeeb673836794269ffb3b0e19913ce9799a05ba97ac172ec5f0bc11062b36893c4ba278708ec3da07b1dd12b4d543ae1b98df15c8712d888c54f01334a7df1e59380206841d05d840077814cb305de2476365ef02d2226532dd341748c33cb5ac6f26d55cd1a58b68df8a18e24ef2791030693a4588bfcae1dec0192d5866cbfafae36d5ba321c817bc141b4d423350cd1159057dd7dbef4793281deb28ae7b64fb44358e69e5afd1f6002222a947ebccc8da16badeacca05df4b23beed8aaac883a5902039e6fd84ee5f2485e7ae3e0705898b7787ed0961878d2642990a46c434e7787a599f04742a32268698314c854bc483d05ffe459dc5402866ced99b46b39838f56fbe704d387b2896ae0489451d32f57c68b919b3fa7228ba7d1a4c5d64a65f2f2bf5f6ced12328e65b9577abaabf3f8c94d9fda50fc52a809644e6d07dc9fc111804a62b808930215197622f5c747fc869992768d9c6325f5d379c4d091743ca8581f15d329533890f9268023cd70c762ad2054078c73673c155eb6a0bd8a94bea265ebb8b76369cd42dfabea188fa57f802a83b55d9380b0f1921fed82e1b68b4e442b04f053a0af8bba61734b043edc0f6c61cd1893c30f0114c600510fdb2573cc48d5c063db711afc09c0a403a8ccff6a8a958df3e4365b079239b0a2451f48f337613323ebbae038d7bf19baa1bcfbc438bb5e73fed695e2a6e63d971c16fd9e825fec53ffcd0eedd79a9cc79c2c4a0f7e04b214025834a88dcfba3ed1774068c64c546417593eaf61d45e88adbad259d5585d0422fe9c78c71fb30d376e28ad1c4188444d91f49f261da6b1f183ea131d12a7f45dde4082c0407b9904c5f284080337f47bea4236184c21e89bd1c1af3e52c864a494c20bcfb77afd06908eb5a9718cb53b41dc0b8fd9663047f71bc91a317df5523aa1d4ee5f19522299be6f1111b895627cb8752c4c0774f822ccf8f1363eb56499e0b590857f73bb54f500008c656568895c8340a88316fdc0d77a7f2a91d5847072fd4db9e83d02d8b40a1d678505accd89d6483dec54acc7b1484dfbace5b5f3f65b372f9e24dbc50b21fe31f815bc1b8c07c0f83d438a3e891dc389954622fb530276a639892398410de03d05163d9e7cca593360411b5d05a555d52f36648a255610c5f60f580098bbc1d387c690cdf20faf470f828fe468a635da34e6c25a0974a907d368372ac460d8261d66c5693df933924e8a633ccfd7ef2635d6ff7876db06d9102786ae0e425aeaf3770882709d86e2a7396779f4111cd02e370f094e347d4088573c9af34430a3cd672ffb3418d3cde6fdef16b5b5db01127734cfa84d68506fe6e74eb1b038d9c707633748203b705109ededadfbe08dcfa778d103face6ad7186596fb0ba2399f277c2a369d0850c7a75487e8eee54b69e78b7d1caa4185f02b1c5ef493bf795297971c90d7533f2c69e33f2461434096a7aad90ce44e355f95b820fb59c9f5d567bf348005958658ba3fcf5ccb3e2ae227cddc3b26bb8f98e9b14d9c988f36f8f81624dc108e2d3dc712f3e6dd138736a820ca39f331f068cca71e7a7c281e4ac84c14a1327ae7c0e5a07a67a57451cc4860f607dbd0d6a2dc69cbc4f3b0eeeaf889c86aaf22876516964eafa475a2acd88c31f3b589d64a275608f471163989c89368652dc98b13f644ec2e356c7707c89696dbead484bf948c1dd86364672eb898150dea4d7275f996e7341463db21f8b27bcfa38205754c8e5fdf6a509d60e8f419bca20b767b03f128a19b82611ab915cc3c9c8cb8e200dbe04e425e7018b92c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da598825a1ce35f46d004c0839e87cc277898b1157b9f3f3ec183bf322615f1ce419b19729531bf15afc38dd73bcc0596f89c99ecf33301e4cafdd848a7d3d77ef99cf08b15724e0eaf69a63e47690cdee2a16d8cf9a7a52e5c2ad6519766ae6b92a35312a5c0b06ee89ddadaea9ca6bad2a4c551ec6d3b5ab08a252231439e099fa615a4f5e93a63682a8f25b331f62882a6c29f9680fe5ae10a9250e5431754d4ab71ca072d4b526e258c21bd84ec0632ac6fa4005e587ac4b3456a14bd741ff0afab0fcbf8bc6595f9f2c0051b975a4eb1ddec2f71727dcf747e1d385272e24db2a756f557d273d81a61edc9fbfc9dafb2e1663647addc92bf253f389ac98027b39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4b6e86ac7d3bbedf18b98437df49c1b60b70ddb9f6e4e2c85e80cf2079b10e762b89a8d3442d96161cef07552116407c3bb2a0aee38980aeb39cac06677936c96bc333001d3f458ff8fde9d989b53e16dbd7a2b795419c0b842fd041eaac36d7fbf850dcb074e0cf2e30fbee6bfaa4cd9c0d4e5ba26ef3c08dc1a29ac7496f015c38832f484645b516b57f6813c42d554c4abb3210f26d4a15a0d4fd41b47ee0ec547a30fa39f22e2093b51ed254bb1c2c69c370fcb7b645aaac086b2a3b18286c7ef4c7b12b5ad8198dafc58c4bea2a3c97ef1f13bf3d74c78f50fa7abe7766bca010bcdfe3c4965df0c6bc12b40db76ca243796e79c87c55f67a61bc3ee8ddcca9a7c6b231fadfae3466da890b434c5cf391937d79ed6650893b1d5fbed0604cf3b3c796114f6908a35542d4fd02b0ed034810ddab55c17dcddd2c2990b3ef3d1273537add3f2282391726489c65e38d20487e2d2f674bfd849cb8730225dded8432ddec880800bfa060af1f8c2e405d864ad5030d354c1e40a873a335b2611dac10dcede69eb9b4ccce8e6798f332cdb95221ebed1793bf5b5527ecb52eb0cdc64307ef67177449b31c6bb829edbf2dd734c07b94c8685bb809f83876c7193e0e862dbf001eb4a169d3340c200b501e727b444a6a9fa9d40a34a9508b1079fe7539ed9616b61c12028a663c298f6bee78ed9fac4f3e9b443abd02bfa9f3db2e85ff9e3a27899b0d1de8b958af5ad90eb604e7e27727a410fc226196c13afe9eba8aa2572cf0d6ccdf99c34cc26b6f3ec21252421f26072e9fe75586eb6b58aee9435593494f17f3efc3a795c45482eeeca6409dcf0e46d0182d53d230c701deff2d3f9f56e9aabcf970c4c09fe7ef8f0b61a531a72f0cc02d06d2ebfb935abf1a037e2edc5ddf4db4e1e7fcd33d5fbf3802442727c0b614482455d6ad9edc2f41be516fa8da87a269845c9ea688749f7d4742d2e746962440bf517b261f126f96335bf0512c6e65ea374a844ab7cebf9b4459f18ca9d2974cf5a58495c5879fa4266c305aa75a133ebae2a4dcc9b75fafd293065daf126a9ad9562fc0b00b2 Backdoor Filenames: pnbwz.exepxcfx.exeqislg.exerqklt.exerunwt.exeruzvs.exervhct.exevidhdw.exewinlng.exewxrun.exexddrv.exexdwdrv.exe Malicious attachments filenames (weak indicators): contatto.zip//Primarie.accdb (…) .exeNote.zip//sistemi.pdf (…) .exeNuoveassunzioni.7zAssunzione.7zSegnalazioni.doc (…) 7z.exeRegione.7zEnergy.7zRisparmio.7zPagati.7zFinal Eight 2012 Suggerimenti Uso Auricolari.exeFwd Re olio di colza aggiornamento prezzo.exeApprofondimento.7zAllegato.zipEventi.bmp (…) .exeQuotidiano.mdb (…) _7z.exe

Computop and AsiaPay Partner to Enable Retailers to Safely and Effectively...

Bamberg and Hong Kong – December 15, 2016 – Computop, a leading payment service provider, and AsiaPay, one of Asia-Pacific’s most distinguished payment service providers, today announced their new strategic partnership.

The relationship enables retailers to securely process payments in Asia-Pacific through Computop’s Paygate payment gateway using the payment methods that consumers in the region prefer and trust, helping to positively impact sales and the overall customer experience.A recent e-Marketer report noted that Asia-Pacific will remain the world’s largest retail e-commerce market, with sales expected to top $1 trillion in 2016 and more than double to $2.725 trillion by 2020.

Findings also noted that the region will see the fastest rise in retail e-commerce sales, increasing 31.5% this year.
In addition, according to a study by Kantar TNS, Asia-Pacific is leading the world in mobile payment with over half (53%) of connected consumers using their mobile phones to pay for goods or services at the point-of-sale via apps.

As such, the Computop and AsiaPay partnership enables retailers to capitalize on the growth opportunity that Asia-Pacific presents. “Expanding business into foreign markets may seem daunting, but working with companies that have a strong foothold in those regions and that understand the payment behaviors and preferences of consumers in those countries is key to retailer success,” said Ralf Gladis, CEO of Computop. “Through our partnership with AsiaPay, Computop is able to provide merchant customers with the opportunity to take advantage of Asia-Pacific consumers’ appetite for e-commerce. With Computop Paygate integrated with AsiaPay, retailers benefit from the secure payment options that southeast Asian consumers expect and trust.” “We are very honoured to be a strategic partner of Computop,” said Joseph Chan, CEO of AsiaPay. “Our company has more than 16 years of experience in credit card processing and international business service, giving us a solid position as a premier e-Payment player in the region.

Furthermore, we have a keen understanding of merchants’ payment requirements in the fast-paced e-commerce business environment. We believe that a strategic cooperation with Computop can help merchants improve their processing efficiency, thereby contributing to their business growth as well as support their global endeavor,” he added. Founded in 2000, AsiaPay offers secure and cost-effective electronic payment processing solutions and services to banks and e-businesses globally.

The company offers a variety of card payments, online bank transfers, e- wallets and cash payments across over 16 countries, including Hong Kong, China, India, Indonesia, Malaysia, Singapore, Philippines, Taiwan, Thailand and Vietnam.
It is a certified international 3-D secure vendor for VISA, MasterCard, American Express and JCB. Computop Paygate is a PCI-certified omnichannel payment platform that provides retailers with secure payment solutions and efficient fraud prevention for international markets.

Computop integrated AsiaPay into Paygate to offer merchants a wide range of payment methods in the Asia-Pacific region to support their cross-border and global commerce efforts. Payment methods available on Paygate include Alipay, American Express, JCB, Tenpay and WeChat, along with many other widely-accepted payment options that consumers in these countries use. About ComputopComputop is a leading global payment service provider (PSP) that provides compliant and secure solutions in the fields of e-commerce, POS, m-commerce and Mail Order and Telephone Order (MOTO).

The company, founded in 1997, is headquartered in Bamberg, Germany, with additional independent offices in China, the UK and the U.S.

Computop processes transactions totalling $24 billion per year for its client network of over 14,000 mid-size and large international merchants and global marketplace partners in industries such as retail, travel and gaming.

Global customers include C&A, Fossil, Metro Cash & Carry, Rakuten, Samsung and Swarovski.

Following the recent asset deal with the Otto Group, Computop is now processing payments for merchants that previously used EOS Payment, including all 100 Otto retail brands.
In cooperation with its network of financial and technology partners, which it has expanded over many years, Computop offers a comprehensive multichannel solution that is geared to the needs of today's market and provides merchants with seamlessly integrated payment processes. For further information, please visit www.computop.com. About AsiaPayFounded in 2000, AsiaPay, a premier electronic payment solution and technology vendor and payment service provider, strives to bring advanced, secure, integrated and cost-effective electronic payment processing solutions and services to banks, corporate and e-Businesses in the worldwide market, covering international credit card, China UnionPay (CUP) card, debit card and other prepaid card payments. AsiaPay is an accredited payment processor and payment gateway solution vendor for banks, certified IPSP for merchants, certified international 3-D Secure vendor for Visa, MasterCard, American Express and JCB.

AsiaPay offers its variety of award-winning payment solutions that are multi-currency, multi-lingual, multi-card and multi-channel, together with its advanced fraud detection and management solutions. Headquartered in Hong Kong, AsiaPay offers its professional e-Payment solution consultancy and quality local service support across its other 12 offices in Asia including: Thailand, Philippines, Singapore, Malaysia, Mainland China, Taiwan, Vietnam, Indonesia and India.

For more information, please visit www.asiapay.com and www.paydollar.com. ### For further information, please contact:Jessica MularczykAscendant Communications, for Computop in the U.S.Tel: 508-498-9300E-mail: jmularczyk@ascendcomms.net Charlotte HansonAscendant Communications, for Computop in the UKTel: +44 (0) 208 334 8041E-mail: chanson@ascendcomms.net Valerie SanchezSenior Channel ManagerAsiaPayTel: (632) 887-2288E-mail: valerie.sanchez@asiapay.com Alvin ChanAssociate Director, Sales & MarketingAsiaPayTel: +852-2538 8278E-mail: alvin.chan@asiapay.com

Crims turn to phishing-as-a-service to slash costs and max profits

So says Imperva after trolling the dark web Prefab phishing campaigns cost less to run and are twice as profitable as traditional phishing attacks, according to a new study by security vendor Imperva. Cybercriminals are lowering the cost and increasing the effectiveness of email phishing by buying complete packages of compromised servers and all the other components necessary to run a campaign of phishing attacks.

These so-called phishing-as-a-service bundles are cheaper than trying to cobble together it an email campaign from scratch.

That probably seems obvious to you, but it's useful to see some research confirming it. For one thing, the tactic is driving an across-the-board increase in phishing attacks. Phishing is the starting point for most network and data breaches.
Imperva researchers began their study by going through listings on dark-web marketplaces.

This allowed them to estimate the cost of phishing campaigns and gave them a clearer picture of the business model behind these all-too-commonplace scams. Based on the costs of the studied campaign – which used phishing pages, a spam server, an email list of 100,000 email addresses and access to compromised servers – the overall estimated expenses of an unmanaged phishing scam is about $27.65, Imperva estimates. In addition, they saw that hackers were easily able to hijack compromised webservers for their campaign, which further lowered up-front costs. Based on the researchers’ analysis of costs, PhaaS is about a quarter of the cost and two times more profitable than a traditional unmanaged phishing campaign, which tends to be more labour intensive. Lowering the costs and technology barriers associated with phishing will almost certainly lead to an increase in phishing campaigns, and the number of people falling victim to these cybercrime operations. The ease of purchase and low cost of PhaaS campaigns is highly likely to make frauds that rely on tricking marks into handing over login credentials for sensitive websites even more commonplace, Imperva concludes. “The combination of PhaaS and compromised web servers has significantly lowered the monetary, technological and time investment needed to conduct a successful phishing campaign,” said Amichai Shulman, cofounder and CTO of Imperva. “It’s no longer feasible for enterprises to use the client-side approach of endpoint software to fight phishing attempts, because people continue to click nefarious links in email. One way to slow the attacks is to choke off easy access to compromised servers, which would make the phishing business model more expensive and lower profitability.” Imperva researchers deconstructed a phishing campaign initiated in mid-June, 2016.

The researchers found that people are most likely to take the email phishing bait while at work, rather than at home.

Around a third (35 per cent) of successful phishing attacks were activated between 0900 and noon while victims were at work, busy writing and replying to emails.

The researchers also found that victims were more likely to enter their username and password to open an email attachment – in this case an Adobe PDF file – than to click on a URL in the email before filling in a web form with their login credentials. Imperva researchers were able to link the campaign to an Indonesian hacking group that began its “career” with a series of web defacement attacks against targets in the US, Australia and Indonesia.
In late 2015, the group graduated to money-making hack attacks against online shops that use the Magento e‑commerce system. Two-thirds (68 per cent) of the victim credentials harvested by the group did not exist in previously known public breaches (one-third had been breached in the past). Imperva’s latest Hacker Intelligence Initiative report, Phishing made easy: Time to rethink your prevention strategy?, can be found here [PDF].

An Infographic summarising the main findings of the study is here [PDF]. ® Sponsored: Want to know more about PAM? Visit The Register's hub

That Botnet-of-Things malware is getting a nasty makeover

More bots.

Thanks, Internet of Things.reader comments 29 Share this story Mirai—the malware responsible for creating a massive "botnet" of hacked Internet-connected cameras, digital video recorders, and other devices that interrupted Internet services for many last week—is still in action, according to data from the network security company Arbor Networks.

An ever-shifting army of about 500,000 compromised Internet of Things (IoT) devices is still being controlled by Mirai, based on Arbor's tracking of the malware's communications.

And multiple command-and-control networks are still directing those devices to attack websites and service providers across the Internet.

But as previously predicted, new and improved versions of the Mirai malware—based on the openly-published source code Mirai's alleged author posted on September 30—are now appearing in the " and wreaking additional havoc. In a blog post, Roland Dobbins, Principal Engineer on Arbor's ASERT Team, noted that "relatively high concentrations of Mirai nodes have been observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain." Devices that are vulnerable to Mirai takeover, he noted, "are typically listening for inbound telnet access on TCP [port] 23 and TCP [port] 2323," and compromised devices communicate via "a remote-control backdoor" that is also present in Mirai, "accessible via TCP/103." Mirai botnets constantly scan the entire Internet for vulnerable devices, so even when a device is rebooted or reset, it can be compromised all over again within 10 minutes. Dobbins also noted that "multiple threat actor groups are actively working to expand and improve" the attacks that were coded into Mirai, and that "some alterations in the DDoS attack capabilities of at least one Mirai-derived botnet have been observed in the wild." In a Skype call with Ars, Dobbins said, "It's a minor enhancement to one of the existing [Mirai] attacks." He couldn't give detail about the enhancements, but he added that "multiple groups are working to enhance and customize Mirai." The original Mirai code is capable of a variety of attacks against DNS services and websites, in addition to more generic network "flood" attacks based on the TCP, UDP, and Generic Routing Encapsulation protocols. Mirai accounted for most of the attack on Dyn's DNS service on October 21, and was part of earlier attacks on security reporter Brian Krebs' site and on French cloud provider OVH.

Those attacks measured over 600 gigabits per second and over 1.5 terabits per second at their peaks, respectively. While the total volume of traffic thrown at Dyn hasn’t yet been publicly released, Level 3 Communications chief security officer Dale Drew said in a Twitter conversation that the numbers had been shared with major network operators.

Drew told Ars in a separate conversation that "tens of millions" of distinct devices were involved in the Dyn DoS attack, and that some of them were clearly not Mirai-infected devices; not all of the devices were necessarily active at the same time. Dobbins wrote that the "potential collateral impact of DDoS attacks launched by the Mirai botnet can be highly significant." The outbound traffic from hacked devices—including attacks against intended targets and scanning for other vulnerable devices—could crimp the network bandwidth of even major broadband ISPs, causing outages for customers. Given the wide availability of the code, it's fairly certain that even more Mirai variants will emerge—and make their presence felt as the holidays approach.

Criminal botnet operators will likely use Mirai's success as a way to extract blackmail payments from online retailers and banks with threats of interfering with online shopping.
Stopping (or at least reducing) those attacks will require network operators to work to identify vulnerable or hacked devices themselves and block the command-and-control traffic to them.

Forget malware, crooks are cracking ATMs the old-fashioned way – with...

Blowing up cash machines is blowing up Bank raiders are increasingly turning to explosives in order to break into cash machines. The European ATM Security Team (EAST) reports that ATM explosive attacks were up 80 per cent in the first half of 2016 compared to the same period last year.

A total of 492 explosive attacks were reported, up from 273 during the same period in 2015. The majority were explosive gas attacks, but 110 involved solid explosives. EAST executive director Lachlan Gunn said: "This rise in explosive attacks is of great concern to the industry in Europe, as such attacks create a significant amount of collateral damage to equipment and buildings as well as a risk to life. "The EAST Expert Group on Physical Attacks (EGAP) is working to analyse the attacks and to share intelligence best practice information across the industry and law enforcement that can help to mitigate the threat." For overall ATM-related physical attacks, there were a total of 1,604 incidents recorded in H1 2016, up 30 per cent compared to the 1,232 reported in H1 2015. Losses due to these attacks rose 3 per cent to €27m (up from €26.3m in 2015). The average cash losses were: Ram raid or burglary attack – €17,327 Explosive attack – €16,631 Robbery – €20,017 However, these figures do not take into account collateral damage to equipment or buildings, which often exceeds the value of the cash lost in successful attacks. Skim scams EAST reports [PDF] a 28 per cent increase in ATM-related fraud attacks, up from 8,421 in H1 2015 to 10,820 in H1 2016.

Transaction reversal fraud more than trebled year-on-year from 1,270 to 4,840 incidents, and accounted for the increase in fraudulent attacks, which would otherwise have decreased due to a reduction in card skimming.

Card skimming reports pegged out at 1,573 in H1 2016, down 21 per cent from 1,986 in H1 2015. Losses due to ATM-related fraud attacks rose 12 per cent to €174m in H1 2016 compared to €156m in H1 2015.
International skimming losses (up from €131m in H1 2015 to €142m in H1 2016) explain the rise.

The introduction of Chip and PIN makes it harder to produce counterfeit cards from stolen data, but the same restriction doesn't apply on cards cards outside Europe.

Cards issued in the US and the Asia-Pacific region (particularly Indonesia) are favoured by fraudsters. Attempts to pry open cash machines using malware and similar approaches are also beginning to happen in Western Europe to a very limited extent.

Fraudulent losses are very low from this type of scam which, for now, seems to be restricted to established hot spots such as Mexico and Russia. The number of ATM logical attacks reported to EAST hit 28 (all "cash out" or "jackpotting" attacks) in the first half of 2016, up from just five during the same period in 2015. Related losses were €0.4m. EAST's full report, with breakdowns for each crime category, is available to EAST members and subscribers via its website. ®

Chap cuffed after treating commuters to giant-screen smut

Traffic-stopping hack could mean six years inside under Indonesian 'Immoral act' law Indonesian police have arrested an “IT expert” in South Jakarta after he reconfigured a giant LED video screen to show porn. The mine's-bigger-than-yours grumble-flick was shown in Wijaya last week, according to The Jakarta Post. The man, identified only as “SAR”, was arrested at the offices of an unnamed company in the South Jakarta suburb of Senopati, police chief inspector-general Mochamad Iriawan told the Post. It seems that a security bungle by the screen's operators gave him access: he told the police that he'd managed to take a photograph of the system's username and password, and used that to log in and then went about his business. The police wouldn't confirm that to the Post, because they've so far been unable to find the photograph on his phone. Indonesia's Tribune News (here, but it's got the kind of site script that hangs browsers) says SAR was traced via his IP address.

Both the Post and the Tribune call him an “IT expert”, but someone who makes himself so easy to catch sounds more like “a mug” to Vulture South. The charges aren't trivial: “SAR” will be accused of “immoral acts” under Indonesia's criminal code, and of breaches of the Electronic Information and Transactions Law, and faces a maximum six years in the slammer and a billion-rupiah fine (about US$75,000). News outlet Berita Malam captured the naughtiness at 1:05 in the video below. Youtube Video Well: as a display of public porn it far outbids a mere refrigerator. ®

Telkom Indonesia Appoints HAUD For SS7 Firewall And Managed Services

28 September 2016, Naxxar, Malta - HAUD, the industry leader in mobile network security and revenue assurance, has been selected by Telkom Indonesia to provide A2P SMS monetisation and SS7 security managed services to create new sources of revenue and improve subscriber experience for the operator.The managed service agreement with HAUD ensures that Telkom Indonesia will not miss out on any lost A2P revenue, and its subscribers are protected from spam and fraudulent SMS traffic.

Through its pioneering Revenue-as-a-Service approach, HAUD will manage the entire A2P monetisation process, from traffic identification and blocking, to redirection of traffic to monetisable channels, without requiring any initial investment from the MNO. Telkom Indonesia Appoints HAUD With over 157 million subscribers, Telkom Indonesia is the seventh largest mobile network operator (MNO) in the world.

The agreement follows a successful trial in which HAUD deployed a bespoke firewall solution with 24/7 monitoring and carried out an in-depth traffic audit of millions of SMS messages. HAUD’s mobile network firewall provides modular, 360 degree protection against SS7 security vulnerabilities, fraud and spam SMS, while preventing grey route traffic that bypasses network termination fees.
Its range of packages effectively ring-fence networks from malicious messages, while improving customer experience and revenue assurances. Mårten Björkman, SVP Asia Pacific at HAUD, said: “Revenue-as-a-Service is a new approach to helping operators to make the most of all possible income streams available to them.

The global A2P SMS market is worth billions, but many operators are not equipped to claim their fair share, and routinely lose out on large amounts of revenue due to the ongoing use of grey routes. “Being given this opportunity to work with one of the largest MNOs on the planet is a real vote of confidence in HAUD’s managed service offering. HAUD’s knowledge and experience of the global A2P and fraud landscape can help MNOs like Telkom Indonesia stay in control of their networks with a minimal outlay of resources.” Michael Adiguna, AVP Sales Strategy, Telkom Indonesia, said: “The agreement with HAUD was particularly attractive, and the ability to deliver results almost instantly was impressive. With our revenues maximised and network utilisation improved, we can focus on delivering the quality of service that modern mobile users demand. “With hundreds of millions of messages sent across our network every day, ensuring spam and fraudulent SMS messages are blocked is vital. HAUD’s solution makes sure that the messages our subscribers receive are from genuine, trustworthy sources.” Asia is widely considered the biggest market globally for A2P SMS and HAUD works with a number of other MNOs in the region. With the addition of Telkom Indonesia to its customer base, HAUD is now protecting over 10 per cent of the subscribers in the region. For more information on HAUD, visit www.haud.com. ENDS For media enquiries, please contact:Gearóid Cashman or Amy Cantrill at Tangerine PR+44 161 817 6600haud@tangerinepr.com Notes to editors About HAUD:HAUD provides mobile network operators with a complete service to detect fraud, filter spam and protect revenue. HAUD puts operators in control of their networks with flexible solutions, unrivalled expertise and round-the-clock customer support.

The proprietary technology safeguards revenue from telecommunications traffic, enhancing network security and enriches customer experience. HAUD’s portfolio of modular services and solutions can be deployed in custom configurations, providing operators with flexible and robust protection to meet precise requirements. Headquartered in Malta and with offices globally, HAUD offers traffic audits, system trials and various pricing models.
Visit www.haud.com for further information.