Sunday , September 20 2020
Home / Security / Magecart-related arrests made in Indonesia

The three individuals arrested represent only a small portion of the Magecart web-skimming group, but the investigation is ongoing.

Magecart-related arrests made in Indonesia


CSO Senior Writer,


Three members of a group that infected hundreds of websites from around the world with payment card stealing malware were arrested in Indonesia, the International Criminal Police Organization (INTERPOL) announced Tuesday. The arrests are the result of a larger multi-national law enforcement investigation that continues in other countries from the Southeast Asia region.

[ How well do you know these 9 types of malware and how to recognize them. | Sign up for CSO newsletters! ]

The three suspects, aged 23, 27, and 35, are accused of using the payment card details they stole to purchase electronic and luxury items and then selling them for a profit. They are facing prison sentences of up to 10 years.

INTERPOL refers to the malware used by the group as a JavaScript sniffer, but this is more commonly known in the security industry as a web skimmer. It consists of a malicious piece of JavaScript code that is inserted into a website — typically in its checkout pages — and is designed to steal the personal and payment information entered by customers.

The most notorious of these web skimmers is called Magecart and has been used in a large number of attacks over the past few years, including against very high-profile brands. Magecart is used by over a dozen groups of hackers whose campaigns range from basic to very sophisticated and from widespread to highly targeted. In some of the more stealthy attacks the code is customized to work only with the victim’s website.

Russian cybersecurity firm Group-IB, who worked with INTERPOL and the Indonesian Police on this investigation, tracks the sniffer used as GetBilling, but according to another company called Sanguine Security, it is part of the Magecart family.

“Sanguine Security has been tracking the activity of this group for several years and has identified not 12 but 571 hacks by the same individuals,” the company said in a blog post following the arrests announcement. “These hacks could be attributed because of an odd message that was left in all of the skimming code: ‘Success gan !’ [which] translates to ‘Success bro’ in Indonesian and has been present for years on all of their skimming infrastructure.”

The three suspects were actually apprehended in December, but their arrest was not initially made public. That might be because of the larger law-enforcement effort dubbed Operation Night Fury that’s underway and is looking at additional attacks in the region.

In fact, according to Sanguine, new attacks with the same code have been observed since December and at least 27 online stores are currently infected. This means other members of the group could still be at large.

Group-IB, which has been tracking GetBilling attacks since 2018, has identified almost 200 infected websites in Indonesia, Australia, Europe, the United States, South America and other regions. In addition to physical goods, the group was also using stolen credit cards to pay for hosting services and new domains that they used in their attacks. Some of that infrastructure was hosted in Indonesia, but they always used VPN services to interact with it.

“According to Group-IB’s annual 2019 threat report, the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million in H2 2108-H1 2019 year-on-year,” the company said. “The size of the carding market, in turn, grew by 33% and amounted to USD 879.7 million. The sale of CVV data is also on rise today, having increased by 19% in the corresponding period, and one of the key reasons behind this trend could be JavaScript sniffers.”

The number of web skimming attacks has been growing over the past two years, with security firms detecting new such breaches every hour. Since this activity is so lucrative for cybercriminals, new skimmers have entered the underground market and have become commoditized, so these attacks are unlikely to stop anytime soon.

To put things in perspective, the Indonesian group was only responsible for 1% of all Magecart incidents detected since 2017 by Sanguine. The company estimates that there are at least 40 to 50 sophisticated individuals involved in web skimming activity.

E-commerce site owners and companies running shopping carts on their websites should regularly scan their websites for infections and keep their content management software and plug-ins up to date. Administrative credentials should also be strong and well protected. Web application firewalls can be used to detect and block intrusion attempts, but there are also other technologies like Content Security Policy (CSP) and Subresource Integrity (SRI) that can be used to restrict loaded scripts and prevent potential infections from impacting customers.

More on malware

This story, “Magecart-related arrests made in Indonesia” was originally published by


Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection.

Copyright © 2020 IDG Communications, Inc.

This Article was first published on

About IT News Ug

Check Also

IT snapshot: Ethnic diversity in the tech industry

As Black Lives Matter marches take place across the world, where do the U.S., U.K. and other major Western countries stand in their IT diversity?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.