Meanwhile in Singapore, the Ministry of Manpower (MOM) has recently lodged police report on websites that look like MOM’s website. The correct URL for MOM is http://www.mom.gov.sg. The copycat websites URL are:
- http://www.movgov.sg
- http://www.momgov.sg
I can’t believe that someone would foolish enough to carry phishing attack against Singapore Government. Isn’t this violates Singapore’s Law? According to Prof. Warren Chik, it does violate the law.
For now, let’s try to find the motive of this phishing attack. Unfortunately, since both websites is now no longer accessible, I can’t really find out how deep they imitates the MOM’s website. I can only speculates on their goals:
- Spread misinformation. I’m not sure how someone can directly profit from this.
- Stole SingPass credentials. There are areas in MOM’s website that requires you to login using SingPass. SingPass is used to access all public services provided by Government. Any financial transactions on these services will go through payment gateway like E-NETS/Bank. So I don’t think anyone can directly profit from stolen SingPass.
- It’s a test website. It’s possible, but very unlikely. Who would careless enough to develop website in open internet? If you look at MOM’s website HTML source, you can tell that it’s using SharePoint. If the copycat websites also using SharePoint, then very likely they really are test website.
The interesting point is that these websites uses .sg domain. Dot-SG domain is an exclusive domain managed by SGNIC. According to their rules, anyone (locals or foreigners) can register .sg domain as long as they have local Singapore postal address.
On one of SGNIC’s accredited registrar (IP-Mirror), I found a more detailed restriction which states that the domain contact person must have a valid SingPass ID. Hmm.. do you think this is the motive? Harvest as many SingPass ID you can get, use them to register .sg domains which later be used for fraud/scam.
These are the WHOIS result for the copycat websites:
http://www.sgnic.sg/whois/node/?u=movgov.sg&r=2048889785
---------------------------------------------------------------------- SGNIC WHOIS Server ---------------------------------------------------------------------- The following data is provided for information purposes only. Registrar: INSTRA CORPORATION PTY. LTD. Domain Name: MOVGOV.SG Creation Date: 16-May-2013 03:15:01 Modified Date: 01-Dec-2013 22:36:12 Expiration Date: 16-May-2014 03:15:01 Domain Status: DELETED Domain Status: VerifiedID@SG-Mandatory Domain Status: VerifiedID@SG-OK (VERIFIED BY ADMIN CONTACT) Registrant: Name: VS (SGNIC-ORG1302261) Administrative Contact: Name: INSTRA CORPORATION PTE. LTD. (SGNIC-ORGIN282886) Technical Contact: Name: VS (SGNIC-ORG1302262) Email: vs48087@gmail.com Name Servers: NS1.NOADS.BIZ NS2.NOADS.BIZ
http://www.sgnic.sg/whois/node/?u=momgov.sg&r=2079318309
---------------------------------------------------------------------- SGNIC WHOIS Server ---------------------------------------------------------------------- The following data is provided for information purposes only. Registrar: IP MIRROR PTE LTD Domain Name: MOMGOV.SG Creation Date: 11-Nov-2013 21:19:20 Modified Date: 29-Nov-2013 23:36:37 Expiration Date: 11-Nov-2014 21:19:20 Domain Status: DELETED Domain Status: CLIENT TRANSFER PROHIBITED Domain Status: VerifiedID@SG-Mandatory Domain Status: VerifiedID@SG-OK (VERIFIED BY ADMIN CONTACT) Registrant: Name: MARIN PLACEMENT (SGNIC-PER20045392) Administrative Contact: Name: IP MIRROR PTE. LTD. (SGNIC-ORGIP243488) Technical Contact: Name: MARIN PLACEMENT (SGNIC-PER20045392) Email: sglobestar@gmail.com Name Servers: NS74.DOMAINCONTROL.COM NS73.DOMAINCONTROL.COM
I am particularly interested with the domain’s status: VerifiedID@SG-OK (VERIFIED BY ADMIN CONTACT). According to SGNIC FAQ, it only requires two simple steps to have this status:
- login to SingPass
- click on a ‘Verify Identity’ button.
With this, I am sure it will be very easy for SPF (Singapore Police Force) to find out the individual who registered these two domains. After all, these two domains were verified using SingPass ID. Unless, it was already a stolen SingPass used to register. Whoever own the compromised SingPass ID will have the burden to proof that they were not the one validating these two domains.
loading...
About Hardono
Incoming Search
law, phishing, singapore