Gorodenkoff - stock.adobe.com

3 Magecart suspects arrested in Interpol operation

Three alleged cybercriminals suspected of being associated with Magecart were arrested in Indonesia via an Interpol-assisted operation called Operation Night Fury.

Suspected operators of a group under the Magecart cybercriminal umbrella, dubbed GetBilling, were arrested in Indonesia in a joint law enforcement operation supported by Interpol.

Interpol and the Indonesian National Police announced Friday that a joint effort called Operation Night Fury had led to the arrest of three individuals in the country who were allegedly operating GetBilling. The group was responsible for distributing malware, known as a JavaScript-sniffer, built with the intention of stealing payment card information and various personal data. The information was then sent to command and control (C&C) servers operated by the suspects, two of which were later seized by authorities.

Data leading to the arrests was provided to Interpol by Singapore-based cybersecurity vendor Group-IB, including the scope and range of the malware, as well as digital forensics expertise, which helped lead to identification of the arrested suspects, according to Interpol's statement published Monday.

"Group-IB had been tracking the GetBilling JS-sniffer family since 2018, thanks to proprietary analytical and monitoring systems; Group-IB's cyber investigations team determined that some of the GetBilling's C&Cs were located in Indonesia and some other countries," Vesta Matveeva, head of Group-IB's APAC cyber investigations team, told SearchSecurity in an email. "Upon discovery of this information, Interpol's ASEAN [Association of Southeast Asian Nations] Desk promptly notified Indonesian cyber police and led the operation. Investigations in other ASEAN countries are ongoing."

Interpol said there are six countries in the ASEAN region with C&C servers and infected websites in said region. The law enforcement agency also said, "The investigation revealed the suspects were using the stolen payment card details to purchase electronic good and other luxury items, then reselling them for a profit."

Magecart attack groups have been responsible for infecting many businesses with sniffer or "skimmer" malware, often targeting e-commerce platforms such as Magento and some of the more notable victims, including British Airways, Macy's and Ticketmaster. Dozens of smaller cybercrime groups have been identified as being "Magecart groups," so it's unclear which subgroups may be responsible for specific attacks. However, Matveeva told SearchSecurity that GetBilling was not responsible for the British Airways hack.

SearchSecurity asked Group-IB what effect Operation Night Fury would have on the overall Magecart threat, but the company said it couldn't comment further because investigations are ongoing.

However, Matveeva said the scale of Magento cybercrime is extensive, noting that in its initial report identifying GetBilling last March, Group-IB discovered 38 "families" of JavaScript-sniffers. "Ever since, the number of JS-sniffer families discovered by Group-IB Threat Intelligence team has almost doubled and continues to grow," she said. "And the GetBilling JS-sniffer family is just one out of many."

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing