Indonesian police arrest 3 men for alleged Magecart-style attacks
Police in Indonesia have arrested three men accused of inserting malicious code into e-commerce websites to steal shoppers’ payment data, an emerging hacking technique that scammers have used to pilfer victims’ information while avoiding detection.
Interpol announced Monday it coordinated a law enforcement operation that identified hundreds of websites that had been infected with malicious software used to collect customers’ financial data and personal details. Three men, identified only by their initials, were arrested on Dec. 20 in Jakarta and Yogyakarta, for allegedly using the stolen data to purchase electronics and other luxury items, then reselling that merchandise for a profit.
By relying a malicious tool that attacked the JavaScript programming language, this group used a technique known as a Magecart-style attack to carry out the digital equivalent of a smash-and-grab robbery. At least a dozen so-called Magecart groups use similar techniques to steal data from victims that have included British Airways, U.S. restaurant chains and millions of other locations, researchers have suggested.
The security company Group-IB, which provided Interpol with forensic data for this investigation, said Monday it had been tracking the group under the name of “GetBilling.” The group based some of its infrastructure in Indonesia, according to Group-IB, and used virtual-private-networks to hide its activities. Members also paid for new domain and internet hosting services with stolen cards.
It remains unclear which sites the GetBilling crew allegedly targeted,
Another security firm, Sanguine Labs, declared that the same hackers had infected 571 online marketplaces, and that they used the phrase “Success gan!” (which translates to “Success bro”) in their malicious code. Other members of the group remain in operation, the company claimed.
Meanwhile, police in Indonesia paraded the three men arrested last month in front of a press conference in orange jumpsuits, as law enforcement officials spoke of their investigation. One accused scammer reportedly told an Indonesian television station he made only enough money to purchase a jacket.
Each faces up to 10 years in prison, according to authorities.