The Indonesian National Police in a joint press conference with Interpol earlier today announced the arrest of three Magecart-style Indonesian hackers who had compromised hundreds of international e-commerce websites and stolen payment card details of their online shoppers.
Dubbed ‘Operation Night Fury,’ the investigation was led by Interpol’s ASEAN Cyber Capability Desk, a joint initiative by law enforcement agencies of Southeast Asian countries to combat cybercrime.
According to the press conference, all three accused (23, 26, and 35 years old) were arrested last year in December from Jakarta and Yogyakarta and charged with criminal laws related to the data theft, fraud, and unauthorized access.
Just like most of the other widespread Magecart attacks, the modus operandi behind this series of attacks also involved exploiting unpatched vulnerabilities in e-commerce websites powered by Magento and WordPress content management platforms.
Hackers then secretly implanted digital credit card skimming code—also known as web skimming or JS sniffers—on those compromised websites to intercept users’ inputs in real-time and steal their payment card numbers, names, addresses and login details as well.
Though Indonesian police claim these hackers had compromised 12 e-commerce websites, experts at cybersecurity firm Sanguine Security believe the same group is behind the credit card theft at more than 571 online stores.
“These hacks could be attributed because of an odd message that was left in all of the skimming code,” Sanguine Security said.
“‘Success gan’ translates to ‘Success bro’ in Indonesian and has been present for years on all of their skimming infrastructures.’
The police revealed that the suspects used stolen credit cards to buy electronic goods and other luxury items, and then also attempted to resell some of them at a relatively low price through local e-commerce websites in Indonesia.
On an Indonesian news channel, one of the accused even admitted to hacking e-commerce websites and injecting web skimmers since 2017.
Moreover, experts also observed similar cyberattacks linked to the same online infrastructure even after the arrest of three people, and thus believes that there are more members of this hacking group who are still at large.