3 Indonesian Hackers Arrested for Global Magecart Attacks, Other Members Still at Large

The International Criminal Police Organization (Interpol), together with the Indonesian National Police, recently publicized the arrest of three Indonesian men suspected of being behind intercontinental Magecart attacks

In these attacks, which are also known as e-skimming and web skimming, hackers gain access to a website’s backend and insert a few lines of malicious JavaScript code (JS-sniffer). The injected code then collects payment card information from transactions made on the infected website.

This type of attack has been around since 2016; some of the known targets include online shops, hotel chains, advertising companies, and even schools. In 2019, Trend Micro researchers discovered that Magecart actively compromised 3,126 online shops — all of them hosted on Volusion, a top e-commerce platform.

The modus operandi

The apprehended suspects have been using their JS sniffer to steal payment card numbers, names, addresses, and login details since 2017. Indonesian law enforcement has confirmed that the group has intercepted payments from at least 12 businesses, but the group is likely to have hit more; experts from Sanguine Security believe that the group may have compromised over 571 online stores. The security firm’s assumption is based on their finding a particular Indonesian phrase seen in all the invasive codes the suspects left behind: “Success gan,” which translates to “Success bro.”

The suspects used virtual private networks (VPNs) connected to command and control (C&C) servers to hide their location and identities. They used stolen payment information to buy new domains, electronic goods, and other luxury items. Some items were put up for sale on Indonesian e-commerce websites for half their market price. Indonesian police estimate the group’s profits at around 300 to 400 million rupees, or US$30,000.

The take down

Cybersecurity firm Group-IB had been tracking the group under the name GetBilling, which is a JS function the suspects used in their code. The firm worked together with Interpol to track down them down. Once the joint operatives discovered that some of the group’s infrastructure was located in Indonesia, they promptly notified the country’s local authorities.

The three suspects were arrested on December 20, 2019 during Operation Night Fury, an ongoing anti-skimming probe led by Interpol’s ASEAN Cyber Capability Desk Project (ACCDP). Police seized laptops, mobile phones, CPUs, IDs, ATM cards, and a Token BCA. In Singapore, authorities took down two of the group’s C&C servers.

Group-IB confirmed that GetBilling compromised over 200 businesses in Indonesia, Australia, Europe, South America, the United States, and other countries. The suspects now face up to 10 years in prison for charges related to data theft, fraud, and unauthorized access.

Next steps

Similar cyberattacks have been linked to the GetBilling group’s infrastructure, which indicates that other members may still be at large. The suspects are said to be responsible for only about 1% of all Magecart incidents, but their arrest is considered the first successful multi-jurisdictional operation against web skimmers.

Early last year, Trend Micro’s machine learning and behavioral detection technologies proactively discovered and blocked a skimming code (JS_OBFUS.C.) loaded on 277 travel websites as well as online shops of prominent cosmetic, healthcare, and apparel brands.

Since attackers usually exploit known vulnerabilities in applications or websites that store and manage sensitive data, consumers must be aware of what can be done to secure private information, especially when making payments online. To protect businesses against these types of attacks, security and IT staff, programmers, and developers can adopt these best practices:
  • Update your software, applications, and website platforms
  • Limit third-party plug-ins or components and only enable necessary ones
  • Perform regular assessment of your online security, availability, and integrity
  • Monitor all online activities for anomalies and unauthorized events
Trend Micro™ Security; Smart Protection Suites and Worry-Free™ Business Security; Trend Micro Network Defense; and Hybrid Cloud Security are solutions powered by XGen™ security, a blend of threat protection techniques that eliminate security gaps and provide maximum protection.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.