Magecart gang arrested in Indonesia

First-ever arrest of a Magecart hacker gang.

magecart-indonesia.jpg

Image: INTERPOL, via Group-IB

Interpol and Indonesian police have arrested three men on suspicion of being part of a cybercrime group engaged in Magecart attacks.

The arrests, which took place on December 20 but were only made publish last week in a press conference, mark the first arrests of a Magecart gang.

Magecart, also known as web skimming or e-skimming, is a form of cyberecrime where hacker groups plant malicious JavaScript code on online stores. The code is configured to steal payment card data while users enter the card info inside checkout and payment forms.

The suspects were only identified by their initials: ANF (27 years), K (35 years), and N (23 years), from he regions of Jakarta and Yogyakarta.

Sanguine Security claims the group also included more members, which is still at large.

According to the company' scans, the group was active since 2017, and its code was found on 571 websites, 17 of which are still infected to this day, after the store owners failed to clean their sites.

Group-IB, another cyber-security company involved in fighting Magecart attacks, said it's been tracking the group under the name of GetBilling, the name of one of the JavaScript functions they used in their code.

Sanguine Security says the gang's code was easy to track because of the presence of a recurring message that read "Success gan," which translated to "Success bro" when translated from Indonesian.

getbilling.png

Image: Group-IB

Group-IB, which was directly involved in the investigation and helped authorities track down the group, said the suspects used the stolen payment card data to buy goods, such as electronic devices or other luxury items, which they later tried to resell online in Indonesia at below the market prices.

To hide their real location and identities, the group used VPN (virtual private network) services to access their command and control servers to retrieve the stolen card data. The GetBilling group also used stolen card data to pay for hosting services, again, trying to hide their real identities.

"Group-IB Cyber Investigations team determined that some of the GetBilling's infrastructure was located in Indonesia," the company said in a press release today. "Upon discovery of this information, INTERPOL's ASEAN Desk promptly notified Indonesian cyber police."

The three suspects were arrested last year part of an operation codenamed Night Fury, but the investigation is still ongoing. Each suspect face up to ten years in prison for their crimes.