Let me remind you that initially the name MageCart was assigned to one hack group, which first started installing web skimmers on online store sites to steal bank card data. But this approach turned out to be so successful that the group soon had numerous imitators, and the name MageCart became a household name, and now they are designated a whole class of such attacks. And if in 2018 RiskIQ researchers identified 12 such groups, then at the end of 2019, according to IBM data, there were already about 38 of them.
Law enforcers and Group-IB report that criminals stole bank card details from buyers and used them to buy gadgets and luxury goods. The liquidation of this criminal of this group was the first successful operation against Magecart operators in the Asia-Pacific region (APAC).
The joint operation Night Fury of Indonesia’s cyberpolice, INTERPOL’s ASEAN Cyber Capability Desk (ASEAN Desk) and Group-IB's Investigation Department at APAC was conducted in December 2019. As a result, three Indonesian people aged 23 to 35 were arrested. All of them have been charged with the theft of electronic data using the GetBilling sniffer family. The operation in five more regions is still ongoing.
For the first time, Group-IB specialists described this family of sniffers in the report “Crime without punishment” in April 2019, and tracked the GetBilling JS-sniffer family since 2018. An analysis of the infrastructure controlled by GetBilling operators arrested in Indonesia showed that they were able to infect nearly 200 websites in Indonesia, Australia, Europe, the United States, South America and some other countries. According to preliminary estimates, in a week, attackers collected about a thousand unique cards and passwords from accounts from infected sites.
Last year, experts were able to establish that part of GetBilling's infrastructure was deployed in Indonesia. Interpol promptly notified the cyber police of Indonesia. Despite the fact that the GetBilling sniffer operators tried to hide their location (for example, criminals always used a VPN to connect to the server to collect the stolen data and control the sniffer, and only stolen cards were used to pay for hosting services and buying new domains), Group- experts IB, together with local police officers, managed to gather evidence that the group was working from Indonesia, and then to follow the suspects themselves.
Reportedthat during the search, police seized laptops, mobile phones of various manufacturers, processors, identification cards and bank cards from the detainees. According to the investigation, the stolen payment data was used by the suspects to buy gadgets and luxury goods, which they then resold on Indonesian sites below market value. The suspects have already been charged with the theft of electronic data – according to the criminal code of Indonesia, this crime is punishable by imprisonment for up to ten years. The investigation is ongoing.
It is worth noting that Sanguine Security experts write that in this group included more participants who are still at large. According to the company, the group has been active since 2017, and its malicious code was detected on 571 sites, 17 of which are still infected, as store owners have not been able to clean their sites properly.
Also Sanguine Security says that the grouping code was easy to track due to the presence of a repeating “Success gan” message, which translates from Indonesian roughly as “Success, bro.”
“Operation Night Fury has proven that all obstacles can only be overcome through close cooperation between law enforcement agencies, international organizations and private companies. Coordination of efforts between the cyberpolicy of Indonesia, Interpol and Group-IB made it possible to attribute crimes, identify criminals who used sniffers, and arrest them. But more importantly, it helped protect innocent people and raise public awareness about the issue of cybercrime and its consequences, ”commented Idam Vasiyadin, Indonesia’s Superintendent of Police.
Photo: Interpol, Group-IB