Threat Management

Three Magecart operatives arrested in Indonesia


Several members of a group allegedly behind hundreds of Magecart-style attacks were arrested last month in Indonesia as the result of an international law enforcement operation.

Interpol’s ASEAN Cyber Capability Desk and the Indonesian National Police just announced late last week the December 20, 2019 arrest of three members of a group allegedly behind a series of Magecart e-commerce attacks. The three individuals were only identified by their initials, age and city. According to Group-IB, the three are Jakarta and Yogyakarta and are N, 23; ANF, 26 and K, 35 years old.

Photo courtesy Group-IB.

Interpol reported it helped coordinate Operation NightFury that was supplied by the Indonesian police, the research firm Group-IB and security teams from other nations. The operation is on-going in five other countries where the gang allegedly had command and control servers.

The three are accused of inserting a JavaScript sniffer called GetBilling onto hundreds of online point of sale system0, which was able to pull out payment card information from a webstore. A JavaScript injection is a classic example of how a Magecart attack’s early stage, reported RiskIQ.

“During the special operation, Indonesian Cyber Police seized laptops, mobile phones of various brands, CPU units, IDs, BCA Token, ATM cards,” said Group-IB.

The security firm said it has been tracking GetBilling since 2018 and a study of the infrastructure controlled by the arrested men indicate they infected at least 200 websites in Indonesia, Australia, Europe, the United States, South America, and some other countries.

Group-IB described the GetBilling as an experienced cybercrime organization that used VPNs to hide their location and stolen credit cards to buy equipment, hosting services and new domains.

The arrest of the three men likely does not mean the end of Magecart attacks as there are other suspected groups using JavaScript sniffers to attack online POS systems.

A Flashpoint-RiskIQ study released in November 2019 suggests the descriptor Magecart describes an umbrella of about seven separate groups that use JavaScript sniffer malware to launch attacks on e-commerce sites. Last year saw many major corporations hit in this manner including British Airways, Ticketmaster, Macy’s and the American Cancer Society.

Group-IB’s annual 2019 threat report noted that the number of compromised payment cards uploaded to underground forums increased from 27.1 million to 43.8 million from the second half of 2108 to the first half of 2019. The company also blamed JavaScript sniffers for the 19 percent increase in the sale of CVV data during this period.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.