[BreachExchange] Police Bust 3 Suspected Magecart Hackers in Indonesia

Destry Winant destry at riskbasedsecurity.com
Tue Jan 28 10:17:17 EST 2020


https://www.databreachtoday.com/police-bust-3-suspected-magecart-hackers-in-indonesia-a-13648

Police in Indonesia have arrested three suspected members of an
e-commerce hacking crew that employed JavaScript attack code to steal
customer and payment card data. The gang allegedly injected malicious
JavaScript "skimming" code known as "GetBilling" into targeted
websites, in what is often more broadly referred to as Magecart-type
attacks.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful
What You Wish For.

The suspects were arrested as part of Operation Night Fury, an ongoing
anti-skimming probe spearheaded by Interpol's Cyber Capability Desk,
backed by U.S. and European law enforcement agencies, which has also
involved Indonesia's "Bareskrim Polri" cyber police team. Interpol
says another five Association of Southeast Asian Nations have received
attack intelligence and are continuing to pursue Night Fury
investigations.

Evidence seized by investigators in Indonesia (photo: Interpol)

Police have only released the three Indonesian suspects' initials and
ages - "ANF," 27; "K," 35; "N," 23 - and said they were arrested in
two regions in the country: Yogyakarta and Jakarta. Police said they
also seized PCs and laptops, mobile phones, ATM cards, identification
cards, and BCA - for Bank Central Asia - security tokens.

All three of the men have been charged with violating article 363 of
the Indonesian Criminal Code by stealing electronic data; they face a
maximum prison sentence of 10 years.

"The suspects have managed to infect hundreds of e-commerce websites
in various locations, including in Indonesia, Australia, the United
Kingdom, the United States, Germany, Brazil and some other countries,"
says Singapore-based cybersecurity firm Group-IB, which assisted with
the investigation. "Payment and personal data of thousands of online
shoppers from Asia, Europe, and the Americas have been stolen."

Example of stolen payment and personal data stored on GetBilling's
servers (source: Group-IB)

Investigators have accused the suspects of using stolen payment card
data "to buy goods, such as electronic devices or other luxury items,
which they tried to resell online in Indonesia at below the market
price," Group-IB says.

While investigators have identified nearly 200 websites that the group
hacked, Group-IB says that figure seems set to rise as the other five
ASEAN countries continue their investigations.

Magecart Attacks Continue

Crime groups surreptitiously inject rogue JavaScript code onto
e-commerce sites to intercept payment card and customer data, in what
are often known as Magecart attacks. Magecart isn't a stand-alone
crime group, but rather an umbrella term that refers to the use of
malicious JavaScript sniffing code, aka JS sniffers or virtual
skimming code (see: Magecart Group Continues Targeting E-Commerce
Sites).

Security firms are tracking at least 12 different Magecart criminal
groups, and they say such attacks date from 2014. But since 2018, the
quantity of Magecart attacks has surged. Victims of
Magecart-associated groups have included shoe manufacturer Fila,
bedding sites Mypillow.com and Amerisleep.com, as well as British
Airways, Ticketmaster and Newegg (see: RiskIQ: Magecart Group
Targeting Unsecured AWS S3 Buckets).

In a 2019 report, Group-IB said it counted 38 JS-sniffer families, but
the company said this week that the figure has nearly doubled since
then.

More Suspects at Large

The suspects were arrested on Dec. 20, 2019.

One suspect subsequently admitted in an interview on Indonesian
television that he'd been intercepting card payments since 2017. But
he claimed to have made almost no revenue, earning only enough to "buy
a jacket," Amsterdam-based e-commerce security firm Sanguine Security
says in a blog post.

Sanguine Security Labs at eComscan
Replying to @eComscan

We were contacted previously by a likely member of the group, claiming
to have more information about the recent impersonations of Sanguine
Security. "I am just blackhat who spread malware"

1
9:59 AM - Jan 25, 2020
Twitter Ads info and privacy

See Sanguine Security Labs's other Tweets

The arrests do not appear to have fully disrupted the gang's
activities, Sanguine Security says, noting it continued to see attack
activity using the same infrastructure afterwards, until as recently
as Jan. 15.

"One or more suspects [are] still at large," tweets Dutch security
researcher Willem de Groot, a digital forensics specialist at Sanguine
Security. "Several card collection servers - such as magecart.net -
have been active and were modified since the arrests" on Dec. 20,
2019.

Overall, Sanguine Security says it has tied 571 different hack attacks
to the same individuals. "These hacks could be attributed because of
an odd message that was left in all of the skimming code: 'Success
gan!'" The firm says that phrase "translates to 'success bro' in
Indonesian and has been present for years on all of their skimming
infrastructure."

The security firm says attack domains that it has traced to this crime
group have included:

trustme.web.id
bikin.id
nganuenak.com - or "delicious"
bakulsemprul.com - referring to a cafeteria on the island of Borneo
adventurewar.com
ride4speed.com
magecart.net

Sanguine Security says at least 17 websites remain infected with the
group's attack code.

Indonesian Attack Infrastructure

Group-IB says that some of the attackers' infrastructure was located
in Indonesia, although the crime gang tried to hide that fact.

"To access their servers for stolen data collection and their
JS-sniffers' control, they always used a VPN to hide their real
location and identity," Group-IB says. "To pay for hosting services
and buy new domains the gang members only used stolen cards. Despite
that, Indonesian cyber police in cooperation with Interpol and
Group-IB's cyber investigations team managed to establish that the
group was operating from Indonesia."

Example of GetBilling's malicious script (source: Group-IB)

Milestone for APAC Cybercrime Investigations

Authorities thanked Group-IB for sharing intelligence about the gang.

"Strong and effective partnerships between police and the
cybersecurity industry are essential to ensure law enforcement
worldwide has access to the information they need to address the scale
and complexity of today's cyberthreat landscape," says Craig Jones,
Interpol's director of cybercrime.

INTERPOL_Cyber✔@INTERPOL_Cyber

Joint press conference by Indonesian National Police & #INTERPOL on
Operation Night Fury led by INTERPOL’s #ASEAN Desk, sharing the
successful arrest of 3 suspects involved in JS-sniffer campaign
compromising e-commerce websites to steal credit card or online
payment information

104
6:02 AM - Jan 24, 2020
Twitter Ads info and privacy

67 people are talking about this

"This successful operation is just one example of how law enforcement
are working with industry partners, adapting and applying new
technologies to aid investigations and ultimately reduce the global
impact of cybercrime," Jones said.

The three arrests in Indonesia appear to be the first time that police
in southeast Asia have identified and arrested Magecart suspects.

"Thanks to Indonesian cyber police and Interpol's prompt actions,
Night Fury became the first successful multi-jurisdictional operation
against the operators of JavaScript sniffers in the APAC region,"
Vesta Matveeva, head of Group-IB's APAC cyber investigations team,
said at a joint press conference hosted by Indonesian police and
Interpol on Friday.

Vesta Matveeva, head of Group-IB's APAC cyber investigations team
(Photo: Interpol)

"This case showed the borderless nature of cybercrime - the operators
of the JS-sniffer lived in one country attacking ecommerce websites
all around the world," Matveeva said. "It makes evidence collection,
identification of suspects and prosecution more complicated. Another
thing that the case demonstrated vividly is that international
cooperation and cyber intelligence data exchange can help effectively
tackle modern cyber threats."

Magecart Attacks Continue

While disrupting cybercrime gangs remains an imperative, experts
caution that many Magecart gangs remain at work.

"While the arrests are a big step to combat the surge of web skimming,
this group has only been responsible for less than 1 percent of online
skimming activity since 2018," Sanguine Security says in reference to
the three suspects arrested in Indonesia. "We estimate that 40 to 50
(more sophisticated) individuals are yet involved in this type of
fraud."


More information about the BreachExchange mailing list