In the fourth quarter of 2019, a spike in MageCart attacks was seen. The most infamous of which involved British Airways which involved nearly 400,000 individuals becoming victims through only a piece of code 22 lines long. Then in November, that same year details emerged detailing how Macy’s also fell victim to such an attack. The attack occurred between October 7 and October 15 when hackers had injected malicious code into the company’s online checkout web page. Now, Indonesian police have arrested three individuals accused of being part of a MageCart gang and carrying out similar attacks.
MageCart attacks involve hackers specifically targeting shopping cart applications found on eCommerce websites. The hacker uses malicious code to skim the card details entered by the customer, the process of skimming the card details has resulted in this type of attack been referred to as Web Skimming or eSkimming. The skimming of the card details amounts to theft and the hacker can now use those details for any number of purposes, popular uses been selling them on the Darknet. In order to inject the malicious code into the cart application, the hacker can either directly compromise the target eCommerce website, or target third party applications. This targeting of third party applications can be classified as a supply chain attack and often involves targeting analytics software, for example, in order to gain a foothold on the targets webpage.
In a combined operation between Interpol and Indonesian police three individuals accused of carrying out MageCart attacks have seemingly been brought to book. The arrests took place on December 20, 2019, but the public was only informed about them at a press conference that occurred towards the end of January 2020. In the press conference, the accused were identified by their initials, those being ANF (27 years old), K (35 years old), and N (23 years old). The accused come from the regions of Jakarta and Yogyakarta. According to the cybersecurity firm, Sanguine Security the group involves more members who are still at large. Those who have been caught can face up to ten years in prison.
Sanguine Security has a special involvement in the case as they have been tracking the gang for several years. The Indonesian authorities are trying the accused for conducting MageCart attacks on twelve, mostly European, eCommerce websites. However, researchers have attributed 571 separate instances to the gang. These hacks have been attributed to the gang due to an odd phrase used in the injected code used by the gang, that phrase being “Success gan !”. The phrase translates to “Success bro !” in English and has been presented in all the attacks attributed to the gang. The gang registered several domains since being active since 2017 often with suggestive names indicating both their whereabouts and intentions. Researchers have also noted that December 20, the time the three individuals were arrested, was not the end of the attacks pertaining to this gang. A further 27 stores have fallen victim to the gang since the arrests using the same code.
On the Radar
In an attempt to hide the location and identity the accused made use of a VPN, which was used when the accused attempted to retrieve the stolen card data from command and control servers. The gang would also use stolen card details to pay for web hosting services in another attempt to hide their identities. Despite the attempts to hide both locations and identities, researchers were able to track the location of the command and control servers to locations in Indonesia. This information was relayed to both Interpol and the Indonesian police’s cyber department. From there that information was used directly in the arrest of the three individuals. This is not the last the case will be heard of as the criminal case has not been closed and is still ongoing. Hopefully, more members of the gang will be arrested in the months to come.
The security firm provided the following advice to prevent financial loss as a result of such an attack,
“To avoid big financial losses due to JS-sniffers, it’s recommended for online users to have a separate pre-paid card for online payments, set spending limits on cards, used for online shopping, or even use a separate bank account exclusively for online purchases. Online merchants, in their turn, need to keep their software updated and carry out regular cybersecurity assessments of their websites.”