An arrest happens to the three individuals accused to MageCart Attacks

In the last three months of previous year, a spike of MageCart attacks was seen. The most infamous of them was of British Airways where nearly 400,000 individuals becoming the victims due to a piece of code 22 lines long. The attack was occurred in between 7 and 15 of October when hackers had injected the malicious code on the company’ online checkout web page. Now, Indonesia police have arrested three individuals accusing of being from MegaCart gang.

The MageCart gang hackers involve in targeting shopping cart applications found on eCommerce websites. They use the malicious code to skip card details entered by customers -this process is called Web Skimming or eSkimming. Thereafter, the hackers can make use of the card in any purposes. Typically, they sell them on the Darknet. In order to inject malicious code to the cart, they compromise the target eCommerce site or target third party applications.

In a combined effort of Interpol and Indonesian police, three individuals of having accused of MageCart attacks were arrested on December 20, 2019. The public was informed about this through a press conference at the end of end of the January 2020. In the press conference, the individuals were identified by their initials -ANF (27 years old), K (35 years old), and N (23 years old). They belonged to Jakarta and Yogyakarta.

As per Indonesian authorities, the MageCart attacks on twelve eCommerce websites mostly of which are European. However, researchers from Sanguine Security have attributed 571 different instances to the gang by an odd phrase “Success gan !” used by the gang. This phrase translate to “Success bro !” in English. The phrase has been presented in all the attacks attributed to the gang. The gang registered several domains since 2017 often with the suggesting names indicate about the their whereabouts and intentions.

On the Radar

Apart from the Sanguine Security and police fires, Group IB- a security firm also tracked the gang. This security firm is specializing in fight against MageCart attacks. On Janueary 27, it published an article on Operation Night Fury – a codename given to the police operation to arrest the gang members. The security firm tracked the gang with the name GetBilling -name derived from one of the function used in the malicious JavaScript code. This security firm helped the authorities in arresting the individuals. The accused were tracked to payments for electronic devices and luxury items using the stolen card details.

Accused used a VPN to hide their location and identity. They use this VPN to retrieve the stolen card data from command and control servers. The accused also used the stolen card details to pay for web hostile services in attempt to hide their identities. Despite their attempts, the researches somehow managed to track the location of the command and control servers to locations in Indonesia. This information was used for the arrest. Hopefully, other members of gang will also be arrested in the coming month.

What the Group-IB noted the problem faced by the eCommerce store owners and Customers due to the MageCart attacks: “the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million in H2 2108-H1 2019 year-on-year. The size of the carding market, in turn, grew by 33 percent and amounted to USD 879.7 million. The sale of CVV data is also on the rise today, having increased by 19 percent in the corresponding period, and one of the key reasons behind this trend could be JavaScript-sniffers.”

The guideline provided by the security firm to prevent financial loss a result of such an attack:

“To avoid big financial losses due to JS-sniffers, it’s recommended for online users to have a separate pre-paid card for online payments, set spending limits on cards, used for online shopping, or even use a separate bank account exclusively for online purchases. Online merchants, in their turn, need to keep their software updated and carry out regular cybersecurity assessments of their websites.”