Magecart-styled Indonesian Attackers Succumbed to Operation ‘Night Fury' by Interpol

Magecart-styled Indonesian Attackers Succumbed to Operation ‘Night Fury' by Interpol

  • The group members could be the members of ‘GetBilling,’ a MageCart group. If so, it would mark the first arrests of a Magecart group.
  • Experts were said to have experienced similar cyberattacks linked to the same online infrastructure even after the arrests of three people.

Indonesian police joined forces with Interpol to crack down on hackers who stole payment card information from customers of hundreds of hacked online stores.

The group members were under strong suspicion of belonging to a MageCart group. If so, it would mark the first arrests of a Magecart group.

About operation 'Night Fury'?

The collaboration between the Indonesian cyber police, the Interpol's ASEAN Desk, and Singapore-based Group-IB led to the arrest of three people last month, this operation was dubbed as the name "Night Fury."

Claims and clues

As per reports, and as also claimed by some cybersecurity researchers, the group could be the members of ‘GetBilling’ group.

  • The trio, aged 27, 35, and 23, were identified by their initials AND, K, and NA, respectively.
  • As confessed by them, the skimmers stole data from 500 credit cards used to shop on 12 websites.
  • Been operating since at least 2017, GetBilling is responsible for 1 percent of all MageCart incidents, at a minimum.

One of the attackers even admitted (on camera) to injecting web skimmers into compromised shops since 2017, and revealed that the targets were chosen at random.

How was ‘GetBilling’ operating?

More than hundreds of web stores suffered.

  • The group used VPNs while connecting to their C&C servers, and stolen payment cards to buy new domains.
  • The investigation unveiled that the suspects used the pilfered card information to buy goods (electronics and luxury items).
  • They would then try to sell those below its market value. This made them a profit of up to $30,000.

Key-notes from the investigation

Group-IB has been tracking the GetBilling script since 2018.

  • The company found that the cybercriminal group had planted about 200 websites in Indonesia, Australia, Europe (the U.K., Germany), the U.S., South America, and some other countries.
  • Another cybersecurity firm believes that the same group could be behind the credit card theft at more than 571 online stores.

Closing lines

Experts were said to have experienced similar cyberattacks linked to the same online infrastructure even after the arrests of three people.

"The operation is still ongoing in the other five ASEAN countries with which the intelligence was also shared. This case marks the first successful multi-jurisdictional operation against the operators of JavaScript-sniffers in the region," Group-IB said in a press release.