Three people suspected of using web skimmers to steal payment card information from websites around the world were arrested in Indonesia on Dec. 20 as part of a larger multi-national law enforcement operation, Interpol said. Authorities identified and took down two additional command-and-control servers in Singapore, and the investigation is still ongoing in five other Southeast Asian countries.
The suspects are accused of injecting JavaScript sniffers, also known as web skimmers, into websites to intercept information entered by the site visitors. The suspects allegedly used the stolen payment card details to purchase electronic and luxury items and resell them at a profit.
While the Indonesian police said the three were responsible for attacks on 12 online stores, researchers at Sanguine Security linked the group to attacks against 571 websites, 27 of which remain infected. The team connected the various attacks using a message left in the skimming code.
"Sanguine Security has been tracking the activity of this group for several years and has identified not 12 but 571 hacks by the same individuals," Sanguine Security said.
Sanguine Security also identified the suspects as being part of the Magecart family because the malware used in their attacks communicated with the magecart.net domain.
Magecart has been used against a large number of high-profile targets over the last few years. A Flashpoint-RiskIQ study said Magecart applied to an umbrella of seven separate groups, of varying degrees of sophistication, that used JavaScript sniffer malware against e-commerce sites. Some groups run highly targeted and extremely sophisticated Magecart campaigns, while others cast a simpler, wider, net.
The arrests likely won’t put a dent in the wave of Magecart infections as there are several other groups using the malware. The Indoensian group is believed to be responsible for just 1 percent of all Magecart incidents detected since 2017 by Sanguine Security. The company also believes that other members of this particular group could still be at large as there have been new attacks using the same attack code since December.
“However, they [Indonesian suspects] were responsible for just 1% of all Magecart incidents since 2018 and should be considered small catch,” Sanguine Security wrote.
Sanguine Security did not link the Indonesian group to specific Magecart victims, nor was there any indication about the group’s sophistication. Indonesian police said this group bought the malware from a criminal forum and used VPN services to cover their tracks when connecting to the attack infrastructure, Cyberthreat.id (Google Translate) reported.
The sniffer allegedly used by the suspects is also tracked as GetBilling by Russian cybersecurity firm Group-IB, which provided Interpol and the Indonesian Police with forensics support. According to Group-IB, GetBilling infected almost 200 websites in Indonesia, Australia, and parts of Europe, United States, and South America. The investigation into the group’s activities is still ongoing, so other attacks may be uncovered at a later date. The group also used stolen payment cards to pay for hosting services and other part of the infrastructure hosting their attack campaigns, Group-IB said.
Group-IB Cyber Investigations team determined that some of the GetBilling's infrastructure was located in Indonesia," the company said in a press release today. "Upon discovery of this information, INTERPOL's ASEAN Desk promptly notified Indonesian cyber police.
Neither Group-IB nor Interpol directly linked the suspects to Magecart in their statements.