Big Phishing in a Big Pond

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

As the world’s second biggest source of cyber attacks, Indonesia is prone to phishing, which occurs when a scammer or hacker lures an internet user into revealing personal details, such as a username and password, via a fake log-in webpage or email form.

Clicking on an interesting link (often something purporting to be humorous or sexy) on a hijacked Facebook feed or an email may redirect you to an authentic looking log-in page that asks you to confirm your username and password. Should you do so, scammers can then use your account, clone it and attempt to get money from your friends. They may also seek access to your banking details.

Indonesia’s Communications and Information Ministry doesn’t provide much data on phishing attacks – instead it seems to be preoccupied with preventing people from accessing pornography. A search of the ministry’s website for “phishing” yields a single result – an old third-party article about the rise of cyber banking scams. The ministry promotes an Internet Health and Safety campaign called INSAN (Internet Sehat dan Aman).

US-based internet monitoring company Akamai Technologies last year reported that Indonesia had overtaken China as the top source of cyber attack traffic. Indonesia in previous years accounted for fewer than 2% of the world’s attacks, but in the second-quarter of 2013 that figure leapt to 38%. This could just mean that cyber criminals in other countries have compromised more unsecure computers in Indonesia and are using them to launch malicious manoeuvres.

Most recently, Akamai on January 28 reported that in the third-quarter of 2013, Indonesia dropped to second place with 20% of observed attacks. More than half of all recorded attacks generated from China and Indonesia.

Indonesian hackers recently demonstrated their prowess with attacks on Australian websites, amid a wave of nationalist fervour sparked by revelations that Australia had several years ago attempted to tap the telephones of President Susilo Bambang Yudhoyono and his inner circle.

There is little outrage when average Indonesians are victims of phishing. In the days before Facebook’s ‘Closed Group’ feature, many people communicated in networks via Yahoo! Groups, an online discussion board service, which has existed for over a decade.

A group of women in Jakarta several years ago formed a Yahoo! Group to discuss their shared hobby. The group was ‘closed’, meaning it had strictly limited membership, so the women thought they were safe from outsiders. Members described the group as a “third place”, outside of work and family, where they could support one another. Over the years, they built up absolute trust, but they did not know much about each other’s day-to-day activities, such as who was in or out of town, or job details and families.

During one long weekend holiday, a senior member of the group posted a message that began: “Dear All, I got a promo ticket and I am now in Italy. Unfortunately my wallet, ticket, all my cards and passport were stolen, and I am now at the police station, and I need some money to survive until the issue will be resolved.”

There was a detailed explanation of the theft, followed by: “Please if anybody can transfer this sum of money, 700 -1,000 Euro, in my account, please do so. I will pay you back when I am home in one week.” A bank account number was included at the end of the message.

The sender claimed to be unable to contact relatives for help because they were also on holiday. The message was so naturally written that other members thought it may be genuine. Some considered providing help, but the high amount of funds requested caused suspicion. “I immediately replied to that email, asking her contact me personally,” said one member. “And then I found her number and called her. She picked up the phone and said she will call back; her voice sounded very strange. I remember how anxious I felt waiting for her call. It turned out she sounded strange because she was speaking from the basement of a parking lot, in Jakarta!”

The woman’s email account had been phished. Many of her friends, relatives and work clients had received the email begging for the transfer of funds.

If you receive an online request for money from a friend or relative, contact them first via telephone to ascertain the message is genuine. And if your Facebook or email account has been phished, then immediately change your password and alert any relevant institutions that your information may have been stolen.

Facebook Comments

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  


Kenneth Yeung is a Jakarta-based editor.