The Indonesian National Police in a joint press conference with Interpol and cybersecurity firm Group-IB earlier today announced the arrest of three Magecart-style Indonesian hackers who had compromised hundreds of international e-commerce websites and stolen payment card details of their online shoppers.
Dubbed ‘Operation Night Fury,’ the investigation was led by Interpol’s ASEAN Cyber Capability Desk, a joint initiative by law enforcement agencies of Southeast Asian countries to combat cybercrime.
According to the press conference, all three accused (23, 26, and 35 years old) were arrested last year in December from Jakarta and Yogyakarta and charged with criminal laws related to the data theft, fraud, and unauthorized access.
To hide their real location and identity, the group used VPNs while connecting to their command-and-control servers and stolen payment cards to buy new domains.
Group-IB helped Interpol identifying the suspects with its digital forensics expertise and “during the special operation, Indonesian Cyber Police seized laptops, mobile phones of various brands, CPU units, IDs, BCA Token, and ATM cards.”
Just like most of the other widespread Magecart attacks, the modus operandi behind this series of attacks also involved exploiting unpatched vulnerabilities in e-commerce websites powered by Magento and WordPress content management platforms.
Hackers then secretly implanted digital credit card skimming code—also known as web skimming or JS sniffers—on those compromised websites to intercept users’ inputs in real-time and steal their payment card numbers, names, addresses and login details as well.
Though Indonesian police claim these hackers had compromised 12 e-commerce websites, experts at cybersecurity firm Sanguine Security believe the same group is behind the credit card theft at more than 571 online stores.
“These hacks could be attributed because of an odd message that was left in all of the skimming code,” Sanguine Security said.
“‘Success gan’ translates to ‘Success bro’ in Indonesian and has been present for years on all of their skimming infrastructures.’
Group-IB investigation also confirmed that the number of websites infected with GetBilling sniffer is likely to be higher than 200 confirmed cases in Indonesia, Australia, Europe, the United States, South America, and some other countries.
Besides this, the police also revealed that the suspects used stolen credit cards to buy electronic goods and other luxury items, and then also attempted to resell some of them at a relatively low price through local e-commerce websites in Indonesia.
On an Indonesian news channel, one of the accused even admitted to hacking e-commerce websites and injecting web skimmers since 2017.
“This case showed the borderless nature of cybercrime – the operators of the JS-sniffer lived in one country attacking ecommerce websites all around the world. It makes evidence collection, identification of suspects, and prosecution more complicated,” says Vesta Matveeva, Head of Group-IB’s APAC Cyber Investigations team.
Moreover, experts also observed similar cyberattacks linked to the same online infrastructure even after the arrest of three people, and thus believes there are more members of this Magecart hacking group who are still at large.