Gorodenkoff - stock.adobe.com
Suspected operators of a group under the Magecart cybercriminal umbrella, dubbed GetBilling, were arrested in Indonesia in a joint law enforcement operation supported by Interpol.
Data leading to the arrests was provided to Interpol by Singapore-based cybersecurity vendor Group-IB, including the scope and range of the malware, as well as digital forensics expertise, which helped lead to identification of the arrested suspects, according to Interpol's statement published Monday.
"Group-IB had been tracking the GetBilling JS-sniffer family since 2018, thanks to proprietary analytical and monitoring systems; Group-IB's cyber investigations team determined that some of the GetBilling's C&Cs were located in Indonesia and some other countries," Vesta Matveeva, head of Group-IB's APAC cyber investigations team, told SearchSecurity in an email. "Upon discovery of this information, Interpol's ASEAN [Association of Southeast Asian Nations] Desk promptly notified Indonesian cyber police and led the operation. Investigations in other ASEAN countries are ongoing."
Interpol said there are six countries in the ASEAN region with C&C servers and infected websites in said region. The law enforcement agency also said, "The investigation revealed the suspects were using the stolen payment card details to purchase electronic good and other luxury items, then reselling them for a profit."
Magecart attack groups have been responsible for infecting many businesses with sniffer or "skimmer" malware, often targeting e-commerce platforms such as Magento and some of the more notable victims, including British Airways, Macy's and Ticketmaster. Dozens of smaller cybercrime groups have been identified as being "Magecart groups," so it's unclear which subgroups may be responsible for specific attacks. However, Matveeva told SearchSecurity that GetBilling was not responsible for the British Airways hack.
SearchSecurity asked Group-IB what effect Operation Night Fury would have on the overall Magecart threat, but the company said it couldn't comment further because investigations are ongoing.