The modus operandi
The apprehended suspects have been using their JS sniffer to steal payment card numbers, names, addresses, and login details since 2017. Indonesian law enforcement has confirmed that the group has intercepted payments from at least 12 businesses, but the group is likely to have hit more; experts from Sanguine Security believe that the group may have compromised over 571 online stores
. The security firm’s assumption is based on their finding a particular Indonesian phrase seen in all the invasive codes the suspects left behind: “Success gan,” which translates to “Success bro.”
The suspects used virtual private networks (VPNs) connected to command and control (C&C) servers to hide their location and identities. They used stolen payment information to buy new domains, electronic goods, and other luxury items. Some items were put up for sale on Indonesian e-commerce websites for half their market price. Indonesian police estimate the group’s profits at around 300 to 400 million rupees, or US$30,000.
The take down
Cybersecurity firm Group-IB had been tracking the group under the name GetBilling
, which is a JS function the suspects used in their code. The firm worked together with Interpol to track down them down. Once the joint operatives discovered that some of the group’s infrastructure was located in Indonesia, they promptly notified the country’s local authorities.
The three suspects were arrested on December 20, 2019 during Operation Night Fury, an ongoing anti-skimming probe led by Interpol’s ASEAN Cyber Capability Desk Project (ACCDP). Police seized laptops, mobile phones, CPUs, IDs, ATM cards, and a Token BCA. In Singapore, authorities took down two of the group’s C&C servers.
Group-IB confirmed that GetBilling compromised over 200 businesses in Indonesia, Australia, Europe, South America, the United States, and other countries. The suspects now face up to 10 years in prison for charges related to data theft, fraud, and unauthorized access.
Similar cyberattacks have been linked to the GetBilling group’s infrastructure, which indicates that other members may still be at large. The suspects are said to be responsible for only about 1% of all Magecart incidents, but their arrest is considered the first successful multi-jurisdictional operation
against web skimmers.
Early last year, Trend Micro’s machine learning and behavioral detection technologies proactively discovered and blocked a skimming code (JS_OBFUS.C.
) loaded on 277 travel websites as well as online shops of prominent cosmetic, healthcare, and apparel brands.
Since attackers usually exploit known vulnerabilities in applications or websites that store and manage sensitive data, consumers must be aware of what can be done
to secure private information, especially when making payments online
. To protect businesses against these types of attacks, security and IT staff, programmers, and developers can adopt these best practices:
- Update your software, applications, and website platforms
- Limit third-party plug-ins or components and only enable necessary ones
- Perform regular assessment of your online security, availability, and integrity
- Monitor all online activities for anomalies and unauthorized events
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.