Spear Phishing Attacks in Malaysia

The integrity of Malaysian commercial and government computer systems continues to be threatened by the increase of spear phishing attacks by groups based overseas.

Phishing attacks occur where mass emails are sent out to multiple users enticing them to click on a link or open an attachment – which releases a malware payload to infect the smart phone, computer or IT system. Phishing messages often appear to come from a large and well-known company or website with a broad membership base, such as Google or PayPal; seeking to play on numbers with the larger the audience, the higher the chances of victims being successfully duped.

Spear Phishing Attacks
In the case of spear phishing attacks, the apparent source of the email is likely to be an individual within the recipient’s own professional or social group – generally someone in a position of authority or else from someone the target knows personally. The term `spear’ indicates that the target has been selected and their background researched, to increase the chances of success or else because the target is significant.

The main delivery vector for spear phishing attacks over the past few years has been via email. In Malaysia, email attacks were the most favoured weapon for a wide range of cyber-attacks in the country. During 2016, authorities discovered that one out of every 130 emails sent to users in Malaysia contained a malicious link or attachment. This has been an increase of four times in one year, indicating the growing problem for companies to protect their systems.

Spear Phishing Attack in Malaysia
An example of a successful spear phishing attack occurred in 2014 when around 30 computers at Malaysian law enforcement agencies covering the disappearance of Malaysian Airlines MH370 airplane were reportedly hacked, with perpetrators making off with confidential data on the missing aircraft.

Asia News Network reported in 2014 that the computers of ‘high-ranking officials’ in several Malaysian aviation and security agencies were hacked with classified information removed. The point-of-entry for the compromise was said to be a spear phishing attack, with a malicious executable file in the format of a PDF file. When the attachment was opened, the user’s machine would be infected with malware, allowing the hacker to gain access to their PC from outside and send stolen information back to an IP address in China.

The spear phishing email, with the subject line ‘Over the South China Sea’ and dated on 09 March 2014 – just one day after the Malaysian Airlines MH370 aircraft went missing – contained ‘sophisticated’ malware that was disguised as a news article reporting on the missing Boeing 777.

The timing of the email indicates that the malware was prepared prior to MH370 disappearing and launched by persons unknown to break into Malaysian government systems to extract information. Some Malaysian government agencies reported that their network was congested with email transmitting out of their servers – The emails contained confidential data from the officials’ computers including the minutes of meetings and classified documents. Due to the nature of cyberattacks, it is difficult to be certain who exactly was behind the attack and though the exfiltration IP address was in China, the attackers could be located anywhere around the globe.

Spoofed Email Addresses
Another phase of spear phishing attacks has been users receiving spoofed emails instructing targets to reset their Gmail or other online email password – diverting the target to a spoofed site where they enter their username and password. This information is captured by the attackers, allowing them access to the online email account. This method was used by attackers to access the Gmail account of John Podesta, former chairman of the 2016 Hillary Clinton presidential campaign. The hackers then downloaded emails, attachments, reports etc – details from Podesta’s emails were later leaked online to upset the Clinton campaign.

As the email attack vector is expected to continue to expand, employees and systems administrators should be aware that caution needs to be used before opening attachments or clicking on spurious web links. Effective filters and email security programs for effective Secure Email Gateway such as MailMarshal should be implemented as a first step to prevent users receiving infected emails.

Recent industry surveys in Malaysia have indicated that five out of every six large companies have been targeted with spear-phishing attacks. Small scale businesses also saw an increase with spear phishing attacks – often with attacks seeking access to online bank account details.

Current studies in Malaysia and the USA have noted that attackers were using stolen email account details from one corporate victim to spear-phish other victims within the company – often moving on to access those with higher administration permissions and so access more of the network and databases.

Ongoing Threat
Spear phishing attacks present a real and current danger to company, organisation and government computer systems – only effective filtering tools, education of users to the threats and continued vigilance can prevent these attacks.

Bribery and corruption behind Football match fixing in Malaysia

Online gambling on football matches in Asia has reached hundreds of millions of dollars each season – with the risk that those involved in making or receiving large scale bets would seek to manipulate the results by threats or bribes of the players, managers or officials.

Malaysia and the Malaysia Super League (Liga Super Malaysia) is a keen target for such match fixers seeking to cream off winnings from the illegal bookmakers.

To combat this threat, the Football Association of Malaysia (FAM) has engaged FIFA’s Early Warning System (EWS) in an effort to combat the issue of match fixing in the country. The FIFA Early Warning System was implemented in August 2016 by the Malaysia Super League (MSL) and will also be extended to international matches hosted in Malaysia. The Football Association of Malaysia have been given a good deal as they won’t have to spend any money on the system, which normally sells for RM100,000 per football season.

The Early Warning System, which was started operations in 2007, is a fraud detection system that monitors betting trends to spot rapid changes in odds being offered and also provides match result analysis. The Early Warning System monitors FIFA competitions, including the World Cup and all qualifying matches, and also works closely with the Asian Football Associations.

Rumours of match-fixing in the Malaysia Super League are nothing new as a number of corruption scandals have surfaced in the past.

The low point for Malaysian football came in 1994-95, when more than one hundred footballers were disciplined with punishment ranging from life bans to suspensions from playing for up to four years. Investigations by Royal Malaysian Police found that there had been gross interference by gambling syndicates to fix the results of games – allegedly physically threatening players who refused to assist. Among those involved included Malek Rahman, Matlan Marjan and Azizol Abu Hanafiah. The arrests and punishments came under a law then known as ‘Emergency Ordinance’, where players could be detained and banished from the game if suspected of fixing matches [the law has since been repealed].

Malaysia came under the football match fixing spotlight again in 2009, when the Malaysian national team played friendly matches against Zimbabwe in Kuala Lumpur – but the games were arranged by notorious convicted match-fixer Wilson Raj Perumal, a Singapore national.

Malaysia managed to beat a higher-ranked Zimbabwe side 4-0 and 1-0 – raising suspicion with the Early Warning System and so the games were investigated by FIFA.

Following an investigation, FIFA revoked the ‘A’ international classification for both matches once it was discovered that a Zimbabwean club team, Monomotapa United, was masquerading as the Zimbabwean national team and were not approved by the Zimbabwean Football Association.

Also in 2009, Lesotho were beaten 5 to nil by Malaysia in a friendly game – with many Lesotho players witnessed going on a shopping spree after the game; generating suspicion as to whether the match result had been interfered with by outsiders.
Since this debacle in 2009, the Football Association of Malaysia has been working with the Malaysian Anti-Corruption Commission (MACC) to investigate suspect results and monitoring players, support staff and identified match fixers. In addition to providing data of betting trends, the Early Warning System will also provide

  • a confidential whistle-blower system
  • a dedicated integrity phone number and email address for anonymous tips to be submitted
  • a monitoring process for all matches in the Malaysian Super League to identify results which may suggest match fixing has been involved
  • an investigation unit to follow up on leads

The Football Malaysia Limited Liability Partnership (FMLLP) Chief Executive Kevin Ramalingam said the implementation of a fraud detection system would uphold the league’s integrity. Kevin Ramalingam added the system will be able to pinpoint players who are likely involved in fixing matches.

Pen drive `of allegations’
Corruption and dishonesty within Malaysian football became a hot topic in September 2016 after
Youth and Sports Minister Khairy Jamaluddin submitted a pen drive, supposedly containing documentary evidence of misconduct, to the Malaysian Anti-Corruption Commission.

Khairy Jamaluddin stated that he had received the pen drive from the Tengku Mahkota of Johor, Tunku Ismail Sultan Ibrahim, in August 2016. The pen drive purportedly contained a 280-page report detailing misconduct and corruption within the Football Association of Malaysia.

However, the Malaysian Anti-Corruption Commission investigation director Azam Baki later reported the commission had examined the contents of the pen drive, but found no evidence under the MACC Act 2009.

 

Ransomware attacks surge in Malaysia

Ransomware has become a critical threat for small and medium sized businesses in Malaysia and across South East Asia due to the ease with which Bitcoin makes extracting ransoms from their victims.

Ransomware is simple but toxic. Malicious software is inadvertently installed on the victim’s computer by way of hoodwinking the victim into clicking on an unsafe link or attachment to an email. Once downloaded, the software then starts to encrypt files on the computer system – ranging from documents through to data sets. Once the software has encrypted enough files, these files are locked to the user and a message is displayed with instructions demanding a ransom be paid to unlock the files. A failure to pay the ransom means the files remain locked and essentially are useless.

Over the past year, Ransomware has emerged as one of the most significant attacks in the hacker arsenal to small and medium sized businesses. Unlike other forms of cyber theft, which often involve stolen credit card numbers or healthcare information, Ransomware acts directly on the victim, locking down their system or data hostage until a ransom payment is made.

Recent Ransomware Attacks
The Hollywood Presbyterian Medical Centre in Los Angeles paid around $17,000 to unlock files in February 2016, following an attack that paralysed a large amount of the hospital’s computer systems. This attack was sophisticated; cybercriminals broke into a hospital server the month before. After two weeks of reconnaissance of the system, the hackers struck on a Friday night, when the hospital’s IT staff was off for the weekend, encrypting data on 800 computers and 130 servers; rendering documents and data unreadable, ranging from patient records through to prescriptions.

In Canada, the University of Calgary paid a demanded $20,000 after a Ransomware cyberattack on its computer systems. The University IT team noticed certain files had become encrypted and managed to quarantine other files and systems from the attack. However, certain valuable files containing research data had already been locked down and so the University opted to pay the ransom to recover the files.

Ransomware Figures
According to Symantec Corporation, Malaysia ranks as 47th globally, and 12th in the Asia Pacific, for Ransomware attacks. In 2015, Malaysians experienced around 5,000 ransomware attacks – or 14 attacks per day.

Recent research conducted by a Cyber Security Research Centre indicated that around half of the victims infected with Cyptolocker agreed to pay the ransom demanded. Though it is understandable that they wanted to retrieve their locked down data files, the payment of such ransoms spurs other hackers to jump in to the activity and create new forms of Ransomware.

Once considered a consumer problem, Ransomware has morphed to target entire networks of computers at hospitals, universities and businesses. That has made it a far more serious and costly threat.

Different Types of Ransomware
Cyptolocker was the first successful Ransomware – able to be used by hackers with medium capability but managed to fleece victims of millions of dollars in 2013 and 2014.

Newer versions of Ransomware include CryZip, Locky, Zepto, Cerber and CryptXXX and UltraCrypter

Many Ransomware attacks exploit known `zero day’ errors in software on computer systems. These holes and vulnerabilities can be found in operating systems or else individual programs, such as web browsers.

The software companies often release updates and patches to close these holes but the hackers depend on owners not installing updates – so the Ransomware can squeeze through and infect the system

Common ways of Ransomware Infection
The traditional and most effective way for a hacker to infect a computer system is by way of email attachments with malware contained inside. Often these attachments are apparently benign Microsoft Office files such as Word or Excel but can include photos or PDFs.

Effective hackers spend some time researching their victim to create emails from spoofed addresses they may trust or else name documents which use a project name or location the victim is familiar with. The victim is then tricked in to opening the document as the name of the document appears real or else they trust the sender, not knowing the sending email address has been faked.

Other hackers may try to infect a computer system by way exploit kits on infected webpages which the victim may use – often on pornographic sites or other sites which pop up and attract visitors.

Once the attachment is unzipped and run or the exploit kit runs, the infection process follows these steps:

1. During the encryption process, the malware generates the public key based on the encrypted private key
2. The malicious software begins encrypting accessible files [often the targeted extensions such as .docx or .xls
3. Once enough files have been processed, the malicious software locks all encrypted files with a private key
4. The computer system still works but cannot access these locked files
5. A ransom note is presented in three formats: text, image, and web page informing the victim of the attack and the need to make a Bitcoin transfer to obtain the encryption key to unlick the targeted files

Use of Bitcoin
The utilisation of Bitcoin has also fuelled the spread of Ransomware. Bitcoin is now the preferred payment method of most Ransomware infections because it allows users to send and receive money from anywhere in the world, often anonymously.

What Can You Do If You’re Infected by Ransomware?
Unfortunately, there is little you can do to recover your files once your system is infected with a Ransomware attack and the files are encrypted. The best defence is to have a full back up stored on a separate drive so that you can reinstall the data. However, make sure to isolate your backup to prevent these files also being encrypted and locked down.
1. Isolate the infected machine
It’s important that the system is taken offline, as the hackers essentially control your computer and could use it to gain access to other systems on the network.

2. Weigh up the pros and cons of paying a ransom
As with any form of ransom, you are not guaranteed to obtain cooperation from the hackers – they may demand further payment or else you may be the target of a repeat (and potentially more costly) ransom attack in the future.

Can you be sure that the Ransomware will indeed be unlocked? If it is unlocked, can you be sure that it hasn’t been pre-programmed to repeat its encryption and demand a higher ransom?

[However, anecdotal information indicates that the hackers want their business model to work and thus do release the data upon payment].

3. Recovery
Run endpoint security software to discover and remove the Ransomware software. If it cannot detect the threat, wipe the machine and remove the operating system.

4. Restore
Review your recent data backups and restore files and operating systems with the most recent back-up.

5. Alert Law Enforcement
In Malaysia the agency is CyberSecurity Malaysia and can be contacted via website www.cybersecurity.my

In Singapore the agency is the Cyber Security Agency of Singapore – see
https://www.csa.gov.sg/singcert/about-us/faqs for details

Though they probably won’t be able to provide immediate assistance, such attacks need to be reported in an effort to track the hackers.

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

US Navy officials charged in ‘Fat Leonard’ fraud

A Malaysian national operating from naval bases in Singapore and across Asia has managed to cause one of the biggest criminal fraud cases in US Navy history. US government investigators have detained and charged multiple US Navy officials for offences relating to bribery and corruption.

The Malaysian national is named Leonard Glenn Francis – widely known as “Fat Leonard” – who operated Glenn Defense, a maritime service company which held more than $200 million worth of contracts to resupply and refuel US Navy vessels across Asia.

The scandal became public in September 2013 when federal investigation agents Leonard Glenn Francis, from his base in Asia to San Diego in a sting operation. Leonard Glenn Francis believed that Glenn Defense was on the cusp of being awarded further US Navy contracts; instead he was arrested and charged with bribery and corruption offences. Leonard Glenn Francis has since pleaded guilty to bribing “scores” of US Navy officials with prostitutes, cash, gifts, expensive meals and other indulgences over a decade.

Leonard Glenn Francis has allegedly now admitted to cheating the US Navy out of at least US$35 million by ways of forging invoices, overbilling, running kickback schemes and gouging for standard maritime services. Essentially, Leonard Glenn Francis bribed senior officers within the US Navy so that they would turn a blind eye to the increased charges.

Leonard Glenn Francis operated a sophisticated machine to penetrate various levels of the US Navy establishment to ensure he obtained the information he needed and covered his tracks where necessary. Leonard Glenn Francis allegedly recruited three officers within the US Navy to act as paid moles for the contractor, Glenn Defense Marine Asia, by leaking intelligence about criminal investigations into the company or other information to give the firm an unfair advantage over competitors.

It is alleged that Leonard Glenn Francis and Glenn Defense had:

  • Bribed US Navy officers with access to prostitutes and gifts of cash or electronic items
  • Corruptly arranged the US Navy to grant diplomatic clearance to Glenn Defense so that it could avoid inspections and dodge customs duties into the Philippines
  • Bribed a retired commander to leak Naval Criminal Investigative Service (NCIS) files to Glenn Defense to help the firm thwart fraud inquiries.

Leonard Glenn Francis adeptly identified personnel on ship and shore, civilian and uniform, who were willing to work with him to defraud the US Navy. Leonard Glenn Francis even hired retired IS Navy officers who then helped recruit active-duty officers to assist with supplying information.

With the high level contacts with US Navy decision makers, Leonard Glenn Francis was able to have ships steered to certain ports where Glenn Defense could easily overcharge the Navy for services.

Leonard Glenn Francis benefited from the US Navy ignoring warnings over the years from honest US Navy personnel, some who requested reviews and cancellations of contracts due to the huge charges for services that Leonard’s company billed. When he fell under suspicion, Leonard Glenn Francis had a Navy criminal investigator pass him internal documents about investigations into Glenn Defense.

Leonard Glenn Francis was an adept networker and worked hard to cultivate relationships in the Navy. He chose to host lavish parties for US Navy officers at select restaurants and bars, spending freely to entertain. Leonard Glenn Francis would then start the bribery process by giving small gifts to individual officers such as whisky or the services of a prostitute – those that accepted the gifts were then targeted to obtain information whilst the gifts were increased in frequency and value.

In 2008, Leonard Glenn Francis targeted one US Navy officer based at the Fleet Logistics Centre in Yokosuka, Japan. The officer was involved in the naval supply system, responsible with providing logistics support for ships, awarding and overseeing contracts.

This officer provided internal US Navy information on ship schedules, port visits, and how the service would handle ship servicing contracts and controlling costs. Leonard Glenn Francis exploited this information so that he could charge excessive costs. In exchange, the officer received more than US$100,000 in cash, stays at luxury hotels and the services of prostitutes.

Leonard Glenn Francis built up a web of contacts throughout the US Navy – including those on contract review boards, which could recommend and approve bidders for Navy contracts. Leonard Glenn Francis would then have his contacts steer contracts for servicing ships to Glenn Defense in Thailand and the Philippines.

The federal investigation has established that Leonard Glenn Francis ran a decade-long scheme by which he defrauded the US Navy out of tens of millions of dollars by targeting a handful of key points in Asian operations of the fleet.

So far, federal investigators have charged 14 individuals and prosecutors have said that as many as 200 others are under investigation. According to US Navy officials, nearly 30 admirals are under scrutiny for possible criminal or ethical violations.

 

Questionable hiring practices in Asia causes Conflict of Interest for banks

The UK based Barclays Bank PLC has become the latest international bank to reveal that U.S. authorities are investigating some of their hiring practices in Asia – suggesting a conflict of interest. Sources indicate that Barclays Bank is alleged to have improperly recruited friends and family members of Asian government officials as well as top executives in the region with which the bank had previous dealings.

The Securities and Exchange Commission [SEC] is known to be already making inquiries into around a dozen banks in the U.S. and Europe regarding similar aspects of their foreign personnel recruiting. HSBC Holdings PLC has also recently disclosed that it had received information requests from the SEC as to their hiring practices around potential hires with ties to Asian government officials. Such inquiries by the SEC have been active since August 2013, when J.P. Morgan Chase & Co. disclosed that the SEC was likewise reviewing its hiring processes in Asia.

One recent report in the WSJ stated that J.P. Morgan Chase & Co. had hired friends and family members of executives at seventy-five percent of the major Chinese companies it helped take public in Hong Kong during the decade long boom in Chinese IPOs of major firms. The numbers reportedly came from a document compiled by the bank as part of a federal bribery investigation into the behaviour.

Other US Banks with operations in Hong Kong are rumoured to have hired friends and family members of senior executives at major Chinese companies, which were taken public in Hong Kong between 2005 and 2013. There are questions as to whether such hiring activity would breach current U.S. foreign-bribery laws.

“Sons and Daughters” China personnel hiring program

A 2015 inquiry by US Authorities further revealed the leading US bank J.P. Morgan had hired over 200 candidates said to be part of China’s business and political elite under a system supposedly known internally as “Sons and Daughters”. U.S. authorities are still investigating the program to determine whether this activity may have constituted bribery under the U.S. Foreign Corrupt Practices Act. The FCPA makes it illegal for US companies to give anything of value to a foreign official with the intention of improperly influencing their decisions.

Such conflict of interests can occur when departments within an organisation take actions with disclosing sensitive issues to legal or compliance officers. Some of the Banks currently under investigation by the US Authorities may have pursued an advantage by recruiting personnel with insight to possible deals, without fully disclosing these personal connections to legal counsel within the banks. Failure to develop, or enforce, suitable Standard Operations Procedures [SOPs] regarding the method for hiring personnel, coupled with poor oversight by senior management and reporting structures probably contributed to this situation.

Tips for Avoiding a Conflict of Interest

  1. Have a system to check for conflicts of interest – make sure such checks are documented and all levels of managements are aware of the requirement for such checks
  2.  Even if there is no conflict at the start of a relationship, keep your radar on as the matter proceeds – and even after it ends. Some conflicts appear over time. Others may arise after the matter is concluded.
  3. Take action at the slightest hint of a conflict arising – Talk to any clients and management overseeing the matter at the first instance
  4. Don’t just keep silent and look the other way – encourage all levels of management to speak up once a problem arises
  5. Full disclosure and client briefings can often defuse a sticky situation and prevent a bad situation getting far worse

Do you need to know more about our services and how Regents can assist you with investigations? Simply go to our Contact Us page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

 

 

Mobile Phone Thefts

Ever since mobile phones became an essential tool for businesspeople, their theft and resale has posed a security problem for companies. The latest smart phones are not only costly, they can also contain crucial data relating to the company and the personnel working there.

Other than taking the obvious security steps such as not leaving a phone on the table or checking pockets for the mobile phone on exiting taxi [a common way to lose a phone], there a number of technical actions that can be taken:

1.    Ensure that the phone has a security PIN plus a locked SIM
2.    Install tracking software that can be activated remotely should the phone go missing
3.    Have all data backed up to the cloud
4.    Where possible, have critical data encrypted

Once one of your personnel discovers that a mobile phone has been stolen or gone missing, have your IT people start to track the phone using the installed software. Alert the telecom provider so that the phone can be deactivated and prevented from making costly calls or downloads – often the telecom provider can locate the phone quicker. If you suspect that the phone has been stolen, make a Police report so that they can identify the thief with the help of the tracking process.

It should be noted that to counter thefts of mobile phones and their reuse / sale, some telecom providers have now created a registry of reported missing or stolen phones via the serial number or IMEI embedded in the phone. Therefore, should a missing or stolen mobile phone be placed on such a register, a telecom provider checking this phone before signing up a new client would flag this problem.

This cooperation between telecom providers in the USA has made it much harder, if not impossible, to reactivate a flagged phone. That’s the good news. Here’s the bad: the database only applies to the USA and other countries are slow on implementing a similar program.

This means that for those phone owners living outside the USA, there is little protection with recovering or cancelling their missing phones. And savvy iPhone thieves have realized that the way to get around these restrictions is by selling phones overseas.

There is already a steady trade of second hand mobile phones being traded in when users want a new phone. These old phones may then be reconditioned and shipped overseas where customers will buy them at a discounted price. Some dishonest players use these channels to sell found or stolen phones for instant cash.

Whether the phone was lost by accident or stolen by a thief, the process of re-sale and use by a third party exposes the data on your missing or stolen mobile phone to being downloaded and used as part of an identity theft attack. A locked and secure mobile phone is essential – make sure you have a six figure PIN installed.

This is a threat that will only increase as we store more and more data on our mobile phones. To give some idea on the scale of the problem today; take note that in the USA it is estimated that the loss and theft of mobile phones cost consumers over $30 billion in 2012, while around 110 smartphones are said to be lost or stolen each minute in the USA.

Now, where did I put my phone……..

Do you need to know more about our services and how Regents can assist you with theft or IT security issues? Simply go to our Contact Us page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once. Visit our Fraud Investigations webpage for more information.