You are receiving this message as we have found you as the official contact address or representative of one of the following:
- Cloudflare (https://cloudflare.com/), as we found the suspected site uses Cloudflare’s website protection service,
- NOBU National Bank (https://www.nobubank.com/), as we found payment details linked to the bank,
- Pos Indonesia (https://posindonesia.co.id/), to notify on a recent phishing attack claiming on behalf of the company,
- Representative(s) of Ministry of Communication and Informatics, Republic of Indonesia (https://kominfo.go.id/) who are taking part in SMS and internet regulations,
- Operators of the s.id URL shortening service (https://s.id/), as the phishing actor uses their service to shorten the offending URL(s), and
- Webnic (https://www.webnic.cc/), as the domain registrar of the suspected site.
We have recently found a lucky draw phishing attempt which uses your service and/or intellectual properties which claims on behalf of Pos Indonesia, the Indonesian state-owned post office and delivery service.
The suspected site is located on https://posgiroindonesia.com/
, which was registered through Webnic on March 12th, 2022, 01:48:36 UTC as found on the domain’s WHOIS entry:
Domain Name: posgiroindonesia.com
Registry Domain ID: 2681013274_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.webnic.cc
Registrar URL: webnic.cc
Updated Date: 2022-03-12T01:50:04Z
Creation Date: 2022-03-12T01:48:36Z
Expiration Date: 2023-03-12T01:48:36Z
Registrar: WEBCC
Registrar IANA ID: 460
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +60.389966799
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: Domain Admin
Registrant Organization: Whoisprotection.cc
Registrant Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil
Registrant City: Kuala Lumpur
Registrant State/Province: Wilayah Persekutuan
Registrant Postal Code: 57000
Registrant Country: Malaysia
Registrant Phone: +60.389966788
Registrant Phone Ext:
Registrant Fax: +603.89966788
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID: Not Available From Registry
Admin Name: Domain Admin
Admin Organization: Whoisprotection.cc
Admin Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil
Admin City: Kuala Lumpur
Admin State/Province: Wilayah Persekutuan
Admin Postal Code: 57000
Admin Country: Malaysia
Admin Phone: +60.389966788
Admin Phone Ext:
Admin Fax: +603.89966788
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID: Not Available From Registry
Tech Name: Domain Admin
Tech Organization: Whoisprotection.cc
Tech Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil
Tech City: Kuala Lumpur
Tech State/Province: Wilayah Persekutuan
Tech Postal Code: 57000
Tech Country: Malaysia
Tech Phone: +60.389966788
Tech Phone Ext:
Tech Fax: +603.89966788
Tech Fax Ext:
Tech Email: [email protected]
Name Server: DOM.NS.CLOUDFLARE.COM
Name Server: TERESA.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2022-03-12T01:50:04Z <<<
The site uses Cloudflare and a WHOIS protection service to protect their website and related identities.
Here, visiting https://posgiroindonesia.com/
directly will simply redirect the user to https://posindonesia.co.id/
, the official website of Pos Indonesia. However, visiting the suspected URL with a special random ID will redirect the user into a special website, such as https://posgiroindonesia.com/cf62....e5b7
.
The original webpage consists the victim’s name, mobile number, as well as home address. This is why we decided to redact these information (including the original, offending URL) when publishing this report to our official website at https://reinhart1010.id/.
The phishing website is powered by Laravel, a PHP-based web development framework, which further suggests that the site is being hosted on a LAMP (Linux-Apache-MySQL/MariaDB-PHP)-based web server.
However, we could not identify the web hosting provider of this website as the site is being protected by Cloudflare. In technical terms, performing a WHOIS entry lookup on each of IP addresses linked to the posgiroindonesia.com
‘s DNS entry will simply return a list of Cloudflare-managed servers, instead of the original web server which runs the website.
When pressing the “Claim” button shown on the above screenshot, the site performs a HTTP POST request to return a valid QR code for use in QRIS, the national QR-based payment system which is based on EMVCo’s QR Code Specification for Payment Systems.
Here, understanding the EMVCo’s specification for merchant-presented payment QR codes is crucial to identify the threat actor. The above QR code contains the following payload:
00020101021226670016COM.NOBUBANK.WWW01189360050300000839560214531186424655810303UME51440014ID.CO.QRIS.WWW0215ID20221563643500303UME5204549953033605409251990.005802ID5903MRS6015JAKARTA SELATAN61051221062770114031300054398220525c6bf0ed4fb2cec5f40ed066cd061920220313165000231530703A016304EFF2
Which suggests that:
- The QR code declares itself as a dynamic payment QR code (“QRIS Dinamis”), which are more commonly used in payment gateways, EDC machines, and SaaS-based POS systems rather than a static QR code (“QRIS Statis”) which is commonly printed as stickers in brochures and shops.
- The QR code was created on behalf of “MRS” instead of “Pos Indonesia”, which is intentional to avoid rejection by Indonesian banks, digital wallets, and payment providers who are eligible to issue new QRIS payment QR codes.
- The National Merchant ID (NMID) of the suspected scammer’s merchant is ID2022156364350.
- The merchant falls under the “Convenience and Specialty Stores” (5499) category, according to the QR’s metadata. Similarly, we also have a valid static QRIS code (pictured below) which also falls under this exact category, despite declaring ourselves as a “Software house and SaaS provider” when requesting one from our QRIS issuer.
- The QR code was issued by neither any Indonesian state-owned banks (BNI, BRI, BTN, Bank Mandiri) nor Pospay, a digital wallet service owned by Pos Indonesia itself.
- Instead, the QR code was issued by NOBU National Bank, a privately-owned Indonesian bank, with the internal merchant PAN of 936005030000083956 and internal merchant ID of 53118642465581.
- Since the QR code was created dynamically (see Point 1) and issued by NOBU (see Point 6), we can highly assume that the scammer abuses NOBU’s online payment gateway system to generate dynamic QRIS payment codes for phishing and scamming purposes.
Note that we cannot further identify the scammer beyond this point. However, it is fairly easy for NOBU and legal authorities to further investigate and capture these scammers, as valid Indonesian IDs are still required to request new QRIS codes from authorized issuers, which can be found on https://www.aspi-indonesia.or.id/standar-dan-layanan/qris/.
Here, we decided to notify related parties in the following order to help legal authorities validate this issue before revoking access to both QRIS merchant account and the suspected website.
- NOBU National Bank and Pos Indonesia
- s.id URL shortening service and Ministry of Communication and Informatics of Republic of Indonesia
- Cloudflare and Webnic
We value your cooperation in resolving this issue. In fact, we know that most of our contacted parties are still actively fighting online scams from Indonesia and all around the world. We understand that this type of scam is fairly new, hence stopping this scam website in the first place marks a great start in stopping future QRIS-based online scams.
IMPORTANT NOTE: If you are voluntarily reading this from Indonesia, please do not give donations directly to our own QRIS payment code as shown on this blog post. Instead, you may support us through a number of ways, including sites such as Saweria and Trakteer which also supports payments from e-wallets and QRIS.
Update 1: March 15, 2022
We forwarded the issue to NOBU National Bank via their official WhatsApp account. However, the bank rejected our report for not submitting transaction evidences with the scammer. The bank expects users to report scams after they’re being scammed, or in their own terms, “experiencing financial losses”.
Meanwhile, the website was experiencing 500: Internal Server Error. The site is broken, I guess. But we decided to forward this issue to Cloudflare and Google Safe Browsing as well.
Update 2: March 18, 2022
We’re still curious enough to check whether the scam site is still working. Our Cloudflare and Google Safe Browsing reports didn’t have any effects, though.
However, what’s changing here is that the “Claim” button redirects to a checkout page generated by Xendit, a Southeast Asia payment gateway, in case you’re already familiar with Square and Stripe. This time, the merchant claimed to be “POSGIRO” instead of “MRS”. The original invoice URL is https://checkout.xendit.co/web/6234b85f9820c061fbb94cfd.
What a real Pos Indonesia checkout page look like?
Some people also asked us whether there are clear examples of Pos Indonesia’s real checkout page. Fortunately, we have one answer, on va.posindonesia.co.id
, right when we receive an import tax bill to get our Hacktoberfest 2021 prizes mailed to our home address.* Here’s another QRIS for you to analyze:
The original payload here is:
00020101021226740022ID.CO.POSINDONESIA.WWW01189360816100000060050215ID20211150768080303PSO5204931153033605405675005802ID5917POS_INTERNASIONAL6007BANDUNG61054011562220703A010111500707128306304AB3B
Which clearly states that this is a dynamic payment QR code (“QRIS Dinamis”) issued right from Pos Indonesia! At least for their own postal and delivery services as well as Pospay merchants out there.
Leave a Reply