It was June 2021 and we were trying to send emails for those joining HISHOT 2021, an online community seminar held by the Computer Science Studient Association of BINUS University (HINTI BINUS). If we decide to use Gmail, well, one day Google could ban us if we send more and more automated emails in the long-term. Good thing that the web hosting service behind himti.or.id also offers a SMTP email service, which we can use instead to send to them on behalf of [email protected]. The web hosting provider rate-limits the inbuilt SMTP service to the maximum of 200 emails per hour. But just to be safe, we're just going to use a half of them. That means we have to schedule the emails to be sent at a constant rate. Sure, we can use a MySQL database to store the pending emails, but Reinhart doesn't want to run and cron PHP scripts inside the remote server. At the end of the day, he decided to write a Python script and run them on his own PC. But one question remains. Is there a better way than just letting that big laptop to run scripts 24/7? Do we have a more energy-efficient way to do this? Apparently before Reinhart got his first Raspberry Pi 3 as a birthday gift and later bought an Orange Pi Zero, and they're both unused. So we decided to try the smaller house, and oh boy, we made it root. Hey, you may already read about Shift's log about sending emails before. But sure, everyone's working to get the job done. Here we fetch all draft messages to the roothouse befor asking her to deliver one-by-one. And spoiler alert, the roothouse is getting bigger! Version 0: A greedy Python script. We first iterated on creating a simple Python script which does these things: Get a list of draft emails, straight from a remote MySQL database For each emails, send them via SMTP Simple, right? The original script really worked well. However, another problem came when the script needs to fetch all of the pending emails. Or in other words, if there are 1,000 email messages waiting to be sent, the script horribly fetches ALL of them before being able to be sent. Well, that's too much and we should fetch them little by little. Not to mention there could be some messages which we need to prioritize for and to let Shift recover again when the script crashes. Version 1: A slightly efficient script. Then we decided to send emails by priority levels by upgrading the database and our SQL query. And as expected, this version worked even better especially when queuing low-priority emails (e.g. attendance receipts and e-certificates). We also tried to fetch at most 50 pending emails per batch, before sending and re-checking them, so the overall delivery time can be significantly improved. Additionally, we started to accept and parse email messages written in Markdown so yeah, we can finally make your next emails from HIMTI less boring. HIMTI's Unified Registration system also used Markdown for creating event announcements, and we're very happy to integrate that into our emails. This version worked well until we had to think about delivering e-certificates for HISHOT 2021. No, not by sending a OneDrive or Google Drive link to the list of e-certificates, but attaching them directly into the message. So here comes Version 2. Version 2: Because e-certificates broke our script. Sending e-certificates are much slower than regular, plaintext/HTML/Markdown emails for one reason: they're huge. There are two main strategies for this, whether the script is instructed to fetch the file locally and add them to the email list, or by including the entire attached message into the database. We ended up choosing the latter one because that means we can also send anything beyond images and e-certificates. So as usual, we upgraded the database and script, but then the hosting provider blocked our websites for storing too much data inside the database. That's quite a bummer, though, that we have to regularly clear sent emails from the database to be able to schedule new emails for more people. Version 3: Concurrency. As this great email delivery solution for HISHOT was adopted to more HIMTI events, including TECHNO 2021, COMPUTERUN 2.0, and HIMTI ELECTION 2021, we realized that we have to upgrade our infrastructure to be able to send more emails, for more events and people! We also realized that not every message have to be sent over the himti.or.id SMTP server. For example, internal message for event committees when a new participant have registered and paid for the event. That's why we decided to use Shiftine's private email address to send these committee messages. And more than that, we start to use GitHub Actions to help us check emails more regularly, being able to sleep() when there are no more emails to send. We can also prioritize and strategize the delivery of different emails from separate events, like sending HIMTI ELECTION receipts during the day and COMPUTERUN 2.0 reminders during the night. Some personal reflections. Yeah, that was great! I was able to share my "can't hibernate, i'm overpowered" spirit to help people in the real world. And as I now help to maintain BINUS Today's list of articles as part of my chore, seeing those sent emails feels like a nostalgia for me. Oh, right, you can check out our final code at https://github.com/alterine0101/emailer.py/.

There are still lots of people laughing at us for “(#_ )”. Yes, the company. Even though we justified our reasons for the name (in which we actually snug the Kiloword-Pictogram Equivalence Theorem), there's also one other reason behind our interests about the name. We really wanted to build a brand that's as close to humans and computers. However, we ended up having to choose to: Tend to become humans Tend to become computers Defeating the stereotypical hacker. Stereotypical hackers tend to wear Guy Fawkes' Masks, which is somewhat synonymous with Anonymous. However, there's another stereotype of hacker who wears instead a mask with crossed eyes and zipped mouth, like this: And even featured in DedSec on Ubisoft's Watch Dogs 2: Before ending up with (#_ ), we wanted to build something that looks original and relatable, while preserving the core elements of the hacker culture. The cash and the hash. Modern UNIX folks really know what the cash ($) and the hash (#) really are. They are traditionally used to determine whether the user who's tinkering with the Terminal is root, aka. the most powerful user in the UNIX-verse. This is true in the original sh, ash, dash, ksh, and even bash. That said, zsh and my favorite fish sports a different default prompt (ie. without the infamous cash symbol). So, what else can we do from root? Making connections with people as if they are (#_^), as we mentioned before. So we could be fun as (#_ ), we could be scary as (#_ ). Despite everything, the #, root, is in us. (#_ )

You are receiving this message as we have found you as the official contact address or representative of one of the following: Cloudflare (https://cloudflare.com/), as we found the suspected site uses Cloudflare's website protection service,NOBU National Bank (https://www.nobubank.com/), as we found payment details linked to the bank,Pos Indonesia (https://posindonesia.co.id/), to notify on a recent phishing attack claiming on behalf of the company,Representative(s) of Ministry of Communication and Informatics, Republic of Indonesia (https://kominfo.go.id/) who are taking part in SMS and internet regulations,Operators of the s.id URL shortening service (https://s.id/), as the phishing actor uses their service to shorten the offending URL(s), andWebnic (https://www.webnic.cc/), as the domain registrar of the suspected site. We have recently found a lucky draw phishing attempt which uses your service and/or intellectual properties which claims on behalf of Pos Indonesia, the Indonesian state-owned post office and delivery service. The suspected site is located on https://posgiroindonesia.com/, which was registered through Webnic on March 12th, 2022, 01:48:36 UTC as found on the domain's WHOIS entry: Domain Name: posgiroindonesia.com Registry Domain ID: 2681013274_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.webnic.cc Registrar URL: webnic.cc Updated Date: 2022-03-12T01:50:04Z Creation Date: 2022-03-12T01:48:36Z Expiration Date: 2023-03-12T01:48:36Z Registrar: WEBCC Registrar IANA ID: 460 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +60.389966799 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Not Available From Registry Registrant Name: Domain Admin Registrant Organization: Whoisprotection.cc Registrant Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil Registrant City: Kuala Lumpur Registrant State/Province: Wilayah Persekutuan Registrant Postal Code: 57000 Registrant Country: Malaysia Registrant Phone: +60.389966788 Registrant Phone Ext: Registrant Fax: +603.89966788 Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Not Available From Registry Admin Name: Domain Admin Admin Organization: Whoisprotection.cc Admin Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil Admin City: Kuala Lumpur Admin State/Province: Wilayah Persekutuan Admin Postal Code: 57000 Admin Country: Malaysia Admin Phone: +60.389966788 Admin Phone Ext: Admin Fax: +603.89966788 Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Not Available From Registry Tech Name: Domain Admin Tech Organization: Whoisprotection.cc Tech Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil Tech City: Kuala Lumpur Tech State/Province: Wilayah Persekutuan Tech Postal Code: 57000 Tech Country: Malaysia Tech Phone: +60.389966788 Tech Phone Ext: Tech Fax: +603.89966788 Tech Fax Ext: Tech Email: [email protected] Name Server: DOM.NS.CLOUDFLARE.COM Name Server: TERESA.NS.CLOUDFLARE.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-03-12T01:50:04Z <<< The site uses Cloudflare and a WHOIS protection service to protect their website and related identities. Here, visiting https://posgiroindonesia.com/ directly will simply redirect the user to https://posindonesia.co.id/, the official website of Pos Indonesia. However, visiting the suspected URL with a special random ID will redirect the user into a special website, such as https://posgiroindonesia.com/cf62....e5b7. The original webpage consists the victim's name, mobile number, as well as home address. This is why we decided to redact these information (including the original, offending URL) when publishing this report to our official website at https://reinhart1010.id/. The phishing website is powered by Laravel, a PHP-based web development framework, which further suggests that the site is being hosted on a LAMP (Linux-Apache-MySQL/MariaDB-PHP)-based web server. However, we could not identify the web hosting provider of this website as the site is being protected by Cloudflare. In technical terms, performing a WHOIS entry lookup on each of IP addresses linked to the posgiroindonesia.com's DNS entry will simply return a list of Cloudflare-managed servers, instead of the original web server which runs the website. When pressing the "Claim" button shown on the above screenshot, the site performs a HTTP POST request to return a valid QR code for use in QRIS, the national QR-based payment system which is based on EMVCo's QR Code Specification for Payment Systems. Here, understanding the EMVCo's specification for merchant-presented payment QR codes is crucial to identify the threat actor. The above QR code contains the following payload: 00020101021226670016COM.NOBUBANK.WWW01189360050300000839560214531186424655810303UME51440014ID.CO.QRIS.WWW0215ID20221563643500303UME5204549953033605409251990.005802ID5903MRS6015JAKARTA SELATAN61051221062770114031300054398220525c6bf0ed4fb2cec5f40ed066cd061920220313165000231530703A016304EFF2 Which suggests that: The QR code declares itself as a dynamic payment QR code ("QRIS Dinamis"), which are more commonly used in payment gateways, EDC machines, and SaaS-based POS systems rather than a static QR code ("QRIS Statis") which is commonly printed as stickers in brochures and shops.The QR code was created on behalf of "MRS" instead of "Pos Indonesia", which is intentional to avoid rejection by Indonesian banks, digital wallets, and payment providers who are eligible to issue new QRIS payment QR codes.The National Merchant ID (NMID) of the suspected scammer's merchant is ID2022156364350.The merchant falls under the "Convenience and Specialty Stores" (5499) category, according to the QR's metadata. Similarly, we also have a valid static QRIS code (pictured below) which also falls under this exact category, despite declaring ourselves as a "Software house and SaaS provider" when requesting one from our QRIS issuer. Our official QRIS QR code. Original payload: 00020101021126680016ID.CO.TELKOM.WWW011893600898029003487302150001952900348730303UMI51440014ID.CO.QRIS.WWW0215ID10221477541080303UMI5204549953033605502015802ID5925REINHART PREVIANO KOENTJO6015KOTA JAKARTA PU61051026062220511100027433310703A1763040D45 The QR code was issued by neither any Indonesian state-owned banks (BNI, BRI, BTN, Bank Mandiri) nor Pospay, a digital wallet service owned by Pos Indonesia itself.Instead, the QR code was issued by NOBU National Bank, a privately-owned Indonesian bank, with the internal merchant PAN of 936005030000083956 and internal merchant ID of 53118642465581.Since the QR code was created dynamically (see Point 1) and issued by NOBU (see Point 6), we can highly assume that the scammer abuses NOBU's online payment gateway system to generate dynamic QRIS payment codes for phishing and scamming purposes. Note that we cannot further identify the scammer beyond this point. However, it is fairly easy for NOBU and legal authorities to further investigate and capture these scammers, as valid Indonesian IDs are still required to request new QRIS codes from authorized issuers, which can be found on https://www.aspi-indonesia.or.id/standar-dan-layanan/qris/. Here, we decided to notify related parties in the following order to help legal authorities validate this issue before revoking access to both QRIS merchant account and the suspected website. NOBU National Bank and Pos Indonesias.id URL shortening service and Ministry of Communication and Informatics of Republic of IndonesiaCloudflare and Webnic We value your cooperation in resolving this issue. In fact, we know that most of our contacted parties are still actively fighting online scams from Indonesia and all around the world. We understand that this type of scam is fairly new, hence stopping this scam website in the first place marks a great start in stopping future QRIS-based online scams. IMPORTANT NOTE: If you are voluntarily reading this from Indonesia, please do not give donations directly to our own QRIS payment code as shown on this blog post. Instead, you may support us through a number of ways, including sites such as Saweria and Trakteer which also supports payments from e-wallets and QRIS. Update 1: March 15, 2022 We forwarded the issue to NOBU National Bank via their official WhatsApp account. However, the bank rejected our report for not submitting transaction evidences with the scammer. The bank expects users to report scams after they're being scammed, or in their own terms, "experiencing financial losses". Meanwhile, the website was experiencing 500: Internal Server Error. The site is broken, I guess. But we decided to forward this issue to Cloudflare and Google Safe Browsing as well. Update 2: March 18, 2022 We're still curious enough to check whether the scam site is still working. Our Cloudflare and Google Safe Browsing reports didn't have any effects, though. However, what's changing here is that the "Claim" button redirects to a checkout page generated by Xendit, a Southeast Asia payment gateway, in case you're already familiar with Square and Stripe. This time, the merchant claimed to be "POSGIRO" instead of "MRS". The original invoice URL is https://checkout.xendit.co/web/6234b85f9820c061fbb94cfd. What a real Pos Indonesia checkout page look like? Some people also asked us whether there are clear examples of Pos Indonesia's real checkout page. Fortunately, we have one answer, on va.posindonesia.co.id, right when we receive an import tax bill to get our Hacktoberfest 2021 prizes mailed to our home address.* Here's another QRIS for you to analyze: The original payload here is: 00020101021226740022ID.CO.POSINDONESIA.WWW01189360816100000060050215ID20211150768080303PSO5204931153033605405675005802ID5917POS_INTERNASIONAL6007BANDUNG61054011562220703A010111500707128306304AB3B Which clearly states that this is a dynamic payment QR code ("QRIS Dinamis") issued right from Pos Indonesia! At least for their own postal and delivery services as well as Pospay merchants out there.