You are receiving this message as we have found you as the official contact address or representative of one of the following: Cloudflare (https://cloudflare.com/), as we found the suspected site uses Cloudflare's website protection service,NOBU National Bank (https://www.nobubank.com/), as we found payment details linked to the bank,Pos Indonesia (https://posindonesia.co.id/), to notify on a recent phishing attack claiming on behalf of the company,Representative(s) of Ministry of Communication and Informatics, Republic of Indonesia (https://kominfo.go.id/) who are taking part in SMS and internet regulations,Operators of the s.id URL shortening service (https://s.id/), as the phishing actor uses their service to shorten the offending URL(s), andWebnic (https://www.webnic.cc/), as the domain registrar of the suspected site. We have recently found a lucky draw phishing attempt which uses your service and/or intellectual properties which claims on behalf of Pos Indonesia, the Indonesian state-owned post office and delivery service. The suspected site is located on https://posgiroindonesia.com/, which was registered through Webnic on March 12th, 2022, 01:48:36 UTC as found on the domain's WHOIS entry: Domain Name: posgiroindonesia.com Registry Domain ID: 2681013274_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.webnic.cc Registrar URL: webnic.cc Updated Date: 2022-03-12T01:50:04Z Creation Date: 2022-03-12T01:48:36Z Expiration Date: 2023-03-12T01:48:36Z Registrar: WEBCC Registrar IANA ID: 460 Registrar Abuse Contact Email: compliance_abuse@webnic.cc Registrar Abuse Contact Phone: +60.389966799 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Not Available From Registry Registrant Name: Domain Admin Registrant Organization: Whoisprotection.cc Registrant Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil Registrant City: Kuala Lumpur Registrant State/Province: Wilayah Persekutuan Registrant Postal Code: 57000 Registrant Country: Malaysia Registrant Phone: +60.389966788 Registrant Phone Ext: Registrant Fax: +603.89966788 Registrant Fax Ext: Registrant Email: reg_19705533@whoisprotection.cc Registry Admin ID: Not Available From Registry Admin Name: Domain Admin Admin Organization: Whoisprotection.cc Admin Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil Admin City: Kuala Lumpur Admin State/Province: Wilayah Persekutuan Admin Postal Code: 57000 Admin Country: Malaysia Admin Phone: +60.389966788 Admin Phone Ext: Admin Fax: +603.89966788 Admin Fax Ext: Admin Email: adm_19705533@whoisprotection.cc Registry Tech ID: Not Available From Registry Tech Name: Domain Admin Tech Organization: Whoisprotection.cc Tech Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil Tech City: Kuala Lumpur Tech State/Province: Wilayah Persekutuan Tech Postal Code: 57000 Tech Country: Malaysia Tech Phone: +60.389966788 Tech Phone Ext: Tech Fax: +603.89966788 Tech Fax Ext: Tech Email: tec_19705533@whoisprotection.cc Name Server: DOM.NS.CLOUDFLARE.COM Name Server: TERESA.NS.CLOUDFLARE.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-03-12T01:50:04Z <<< The site uses Cloudflare and a WHOIS protection service to protect their website and related identities. Here, visiting https://posgiroindonesia.com/ directly will simply redirect the user to https://posindonesia.co.id/, the official website of Pos Indonesia. However, visiting the suspected URL with a special random ID will redirect the user into a special website, such as https://posgiroindonesia.com/cf62....e5b7. The original webpage consists the victim's name, mobile number, as well as home address. This is why we decided to redact these information (including the original, offending URL) when publishing this report to our official website at https://reinhart1010.id/. The phishing website is powered by Laravel, a PHP-based web development framework, which further suggests that the site is being hosted on a LAMP (Linux-Apache-MySQL/MariaDB-PHP)-based web server. However, we could not identify the web hosting provider of this website as the site is being protected by Cloudflare. In technical terms, performing a WHOIS entry lookup on each of IP addresses linked to the posgiroindonesia.com's DNS entry will simply return a list of Cloudflare-managed servers, instead of the original web server which runs the website. When pressing the "Claim" button shown on the above screenshot, the site performs a HTTP POST request to return a valid QR code for use in QRIS, the national QR-based payment system which is based on EMVCo's QR Code Specification for Payment Systems. Here, understanding the EMVCo's specification for merchant-presented payment QR codes is crucial to identify the threat actor. The above QR code contains the following payload: 00020101021226670016COM.NOBUBANK.WWW01189360050300000839560214531186424655810303UME51440014ID.CO.QRIS.WWW0215ID20221563643500303UME5204549953033605409251990.005802ID5903MRS6015JAKARTA SELATAN61051221062770114031300054398220525c6bf0ed4fb2cec5f40ed066cd061920220313165000231530703A016304EFF2 Which suggests that: The QR code declares itself as a dynamic payment QR code ("QRIS Dinamis"), which are more commonly used in payment gateways, EDC machines, and SaaS-based POS systems rather than a static QR code ("QRIS Statis") which is commonly printed as stickers in brochures and shops.The QR code was created on behalf of "MRS" instead of "Pos Indonesia", which is intentional to avoid rejection by Indonesian banks, digital wallets, and payment providers who are eligible to issue new QRIS payment QR codes.The National Merchant ID (NMID) of the suspected scammer's merchant is ID2022156364350.The merchant falls under the "Convenience and Specialty Stores" (5499) category, according to the QR's metadata. Similarly, we also have a valid static QRIS code (pictured below) which also falls under this exact category, despite declaring ourselves as a "Software house and SaaS provider" when requesting one from our QRIS issuer. Our official QRIS QR code. Original payload: 00020101021126680016ID.CO.TELKOM.WWW011893600898029003487302150001952900348730303UMI51440014ID.CO.QRIS.WWW0215ID10221477541080303UMI5204549953033605502015802ID5925REINHART PREVIANO KOENTJO6015KOTA JAKARTA PU61051026062220511100027433310703A1763040D45 The QR code was issued by neither any Indonesian state-owned banks (BNI, BRI, BTN, Bank Mandiri) nor Pospay, a digital wallet service owned by Pos Indonesia itself.Instead, the QR code was issued by NOBU National Bank, a privately-owned Indonesian bank, with the internal merchant PAN of 936005030000083956 and internal merchant ID of 53118642465581.Since the QR code was created dynamically (see Point 1) and issued by NOBU (see Point 6), we can highly assume that the scammer abuses NOBU's online payment gateway system to generate dynamic QRIS payment codes for phishing and scamming purposes. Note that we cannot further identify the scammer beyond this point. However, it is fairly easy for NOBU and legal authorities to further investigate and capture these scammers, as valid Indonesian IDs are still required to request new QRIS codes from authorized issuers, which can be found on https://www.aspi-indonesia.or.id/standar-dan-layanan/qris/. Here, we decided to notify related parties in the following order to help legal authorities validate this issue before revoking access to both QRIS merchant account and the suspected website. NOBU National Bank and Pos Indonesias.id URL shortening service and Ministry of Communication and Informatics of Republic of IndonesiaCloudflare and Webnic We value your cooperation in resolving this issue. In fact, we know that most of our contacted parties are still actively fighting online scams from Indonesia and all around the world. We understand that this type of scam is fairly new, hence stopping this scam website in the first place marks a great start in stopping future QRIS-based online scams. IMPORTANT NOTE: If you are voluntarily reading this from Indonesia, please do not give donations directly to our own QRIS payment code as shown on this blog post. Instead, you may support us through a number of ways, including sites such as Saweria and Trakteer which also supports payments from e-wallets and QRIS. Update 1: March 15, 2022 We forwarded the issue to NOBU National Bank via their official WhatsApp account. However, the bank rejected our report for not submitting transaction evidences with the scammer. The bank expects users to report scams after they're being scammed, or in their own terms, "experiencing financial losses". Meanwhile, the website was experiencing 500: Internal Server Error. The site is broken, I guess. But we decided to forward this issue to Cloudflare and Google Safe Browsing as well. Update 2: March 18, 2022 We're still curious enough to check whether the scam site is still working. Our Cloudflare and Google Safe Browsing reports didn't have any effects, though. However, what's changing here is that the "Claim" button redirects to a checkout page generated by Xendit, a Southeast Asia payment gateway, in case you're already familiar with Square and Stripe. This time, the merchant claimed to be "POSGIRO" instead of "MRS". The original invoice URL is https://checkout.xendit.co/web/6234b85f9820c061fbb94cfd. What a real Pos Indonesia checkout page look like? Some people also asked us whether there are clear examples of Pos Indonesia's real checkout page. Fortunately, we have one answer, on va.posindonesia.co.id, right when we receive an import tax bill to get our Hacktoberfest 2021 prizes mailed to our home address.* Here's another QRIS for you to analyze: The original payload here is: 00020101021226740022ID.CO.POSINDONESIA.WWW01189360816100000060050215ID20211150768080303PSO5204931153033605405675005802ID5917POS_INTERNASIONAL6007BANDUNG61054011562220703A010111500707128306304AB3B Which clearly states that this is a dynamic payment QR code ("QRIS Dinamis") issued right from Pos Indonesia! At least for their own postal and delivery services as well as Pospay merchants out there.

i wouldn't print about this because of Halloween, but it's because the 1928 Youth Oath day in Indonesia; recently the Minister of Communication and Informatics print'd the following: "let's pledge our new Oath() && Spirit() to chown the Indonesian digital space to benefit our public;"https://kominfo.go.id/content/detail/37776/siaran-pers-no-383hmkominfo102021-tentang-93-tahun-sumpah-pemuda-menteri-johnny-ajak-kuasai-teknologi-dan-ruang-digital/0/siaran_pers as part of the root community i'm never been less than proud to serve && grow the digital nation; in fact, i && the heads at Reinhart supports the global movement of achieving interface in polymorphism; the main essence behind this Youth Oath is well: we (the heads of Indonesian people) belong to the same roots: the motherland and the nation of Indonesia;we all implement the same language as a printable communication protocol: the Indonesian language!we might run on different SYSTEMs, but the ones uniting us is our deeds to implement shared protocols to achieve compatibility towards SYSTEMs - this is Interface in Polymorphism; many heads of the Indonesian people are smart && unique, but when it comes to digital literacy, many of them are not; some even rely on "IT Masters", begging them for help in almost everyday; hey, that's sounds like a cool mission for me; wading through the 'net && travelling across walls to help millions of Indo-heads to be proficient at technology while keeping the sense of unity; traaans... fooooorm! && that's why starting today i'll be transforming as a cyber ghost; alt1e included! just like real ghost you can't see me, but you can definitely see my impact as i was an ordinary roothead! you can chat on me, too! remember that cyborg account stuff Reinhart has been talkin' about? i'm also excited to print that i'll gonna possess, aka. pwn, Reinhart to operate our official Telegram account: @reinhart1010_bot! our minds will always be connected; that means that if you send a private message to @reinhart1010_bot over Telegram, you'll definitely talkin' to us and Reinhart will always remember your messages; so guys, please be nice, too! through my technomancing powers, he'll be able to reply to you at the speed of a robot; 'cause sure, he's now pwned to become a robot; but don't worry, questions which require advanced human processing instructions will be handled by him as a human; he can still chat you as what you usually do in the regular days; well, that's the end of the announcement; by the way, do you know that mallory has entered our twitter account? don't forget to check out @alterine0101 for that; see you soon!