First Ever Arrests Associated with MageCart Attacks

In the fourth quarter of 2019, a spike in MageCart attacks was seen. The most infamous of which involved British Airways which involved nearly 400,000 individuals becoming victims through only a piece of code 22 lines long. Then in November, that same year details emerged detailing how Macy’s also fell victim to such an attack. The attack occurred between October 7 and October 15 when hackers had injected malicious code into the company’s online checkout web page. Now, Indonesian police have arrested three individuals accused of being part of a MageCart gang and carrying out similar attacks.

MageCart attacks involve hackers specifically targeting shopping cart applications found on eCommerce websites. The hacker uses malicious code to skim the card details entered by the customer, the process of skimming the card details has resulted in this type of attack been referred to as Web Skimming or eSkimming. The skimming of the card details amounts to theft and the hacker can now use those details for any number of purposes, popular uses been selling them on the Darknet. In order to inject the malicious code into the cart application, the hacker can either directly compromise the target eCommerce website, or target third party applications. This targeting of third party applications can be classified as a supply chain attack and often involves targeting analytics software, for example, in order to gain a foothold on the targets webpage.

In a combined operation between Interpol and Indonesian police three individuals accused of carrying out MageCart attacks have seemingly been brought to book. The arrests took place on December 20, 2019, but the public was only informed about them at a press conference that occurred towards the end of January 2020. In the press conference, the accused were identified by their initials, those being ANF (27 years old), K (35 years old), and N (23 years old). The accused come from the regions of Jakarta and Yogyakarta. According to the cybersecurity firm, Sanguine Security the group involves more members who are still at large. Those who have been caught can face up to ten years in prison.

first arrest associated with magecart attcks

Sanguine Security has a special involvement in the case as they have been tracking the gang for several years. The Indonesian authorities are trying the accused for conducting MageCart attacks on twelve, mostly European, eCommerce websites. However, researchers have attributed 571 separate instances to the gang. These hacks have been attributed to the gang due to an odd phrase used in the injected code used by the gang, that phrase being “Success gan !”. The phrase translates to “Success bro !” in English and has been presented in all the attacks attributed to the gang. The gang registered several domains since being active since 2017 often with suggestive names indicating both their whereabouts and intentions. Researchers have also noted that December 20, the time the three individuals were arrested, was not the end of the attacks pertaining to this gang. A further 27 stores have fallen victim to the gang since the arrests using the same code.

On the Radar

The gang has not only been tracked Sanguine Security and police forces across the globe. The gang has also been tracked by Group-IB, a security firm specializing in the fight against MageCart attacks. On January 27 Group-IB published an article detailing Operation Night Fury, the codename given to the police operation to arrest specific gang members. The security firm has been tracking the gang under the name GetBilling, which was derived from one of the functions used in the malicious JavaScript code. The firm was directly involved in helping the authorities arrest the individuals mentioned above. The accused were traced to payments for electronic devices and luxury items using the stolen card details, most of which the accused attempted to resell at below market level online.

In an attempt to hide the location and identity the accused made use of a VPN, which was used when the accused attempted to retrieve the stolen card data from command and control servers. The gang would also use stolen card details to pay for web hosting services in another attempt to hide their identities. Despite the attempts to hide both locations and identities, researchers were able to track the location of the command and control servers to locations in Indonesia. This information was relayed to both Interpol and the Indonesian police’s cyber department. From there that information was used directly in the arrest of the three individuals. This is not the last the case will be heard of as the criminal case has not been closed and is still ongoing. Hopefully, more members of the gang will be arrested in the months to come.

In highlighting the problem of MageCart attacks faced by both eCommerce store owners and consumers by JavaScript-sniffers, the term used by the firm to describe such attacks, Group-IB noted,

“According to Group-IB’s annual 2019 threat report, the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million in H2 2108-H1 2019 year-on-year. The size of the carding market, in turn, grew by 33 percent and amounted to USD 879.7 million. The sale of CVV data is also on the rise today, having increased by 19 percent in the corresponding period, and one of the key reasons behind this trend could be JavaScript-sniffers.”

The security firm provided the following advice to prevent financial loss as a result of such an attack,

“To avoid big financial losses due to JS-sniffers, it’s recommended for online users to have a separate pre-paid card for online payments, set spending limits on cards, used for online shopping, or even use a separate bank account exclusively for online purchases. Online merchants, in their turn, need to keep their software updated and carry out regular cybersecurity assessments of their websites.”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal