Interpol uncovers cyber crime operation in Indonesia

An Interpol-coordinated cyber operation against a strain of malware targeting e-commerce websites has identified hundreds of compromised websites and led to the arrest of three individuals who were allegedly running the malicious campaign from Indonesia.

The malware, known as a JavaScript-sniffer, the online equivalent of a traditional card skimmer, targets online shopping websites. When a website is infected, the malware steals the customers’ payment card details and personal data such as names, addresses and phone numbers, sending the information to command and control (C2) servers controlled by the cyber criminals.

Dubbed Operation Night Fury, the operation was conducted with the support of cyber security firm Group-IB, which provided data on the reach of the malware that has infected websites in several countries including Indonesia, Australia, UK, US, Germany and Brazil. Group-IB also supported the investigation with digital forensics expertise to help identify the suspects.

The Interpol’s ASEAN Cyber Capability Desk has since disseminated cyber activity reports to the affected countries, highlighting the threat to support their national investigations, including information on C2 servers and infected websites located in six countries in the Association of Southeast Asian Nations (ASEAN) region.

At the request of Indonesian police, Interpol provided technical and operational support that resulted in the arrest of three individuals suspected of commanding the C2 servers in the country. The investigation revealed the suspects were using the stolen payment card details to purchase electronic goods and other luxury items, then reselling them for a profit. They have been charged with the theft of electronic data, which carries up to a 10-year jail sentence in accordance with Indonesia’s criminal code.

“Strong and effective partnerships between police and the cyber security industry are essential to ensure law enforcement worldwide has access to the information they need to address the scale and complexity of today’s cyber threat landscape,” said Craig Jones, Interpol’s director of cyber crime.

“This successful operation is just one example of how law enforcement is adapting and applying new technologies to aid investigations, and ultimately reduce the global impact of cyber crime,” he added.

In Singapore, local authorities identified and took down two of the C2 servers. Investigations in other ASEAN countries are ongoing, with the Interpol continuing to support police in locating C2 servers and infected websites, and identifying the cyber criminals involved.

The perpetrators behind the latest attack involving the use of JavaScript-sniffers were not new to the world of cyber crime. To access servers that collected stolen data and control their malware, they used virtual private network (VPN) connections to mask their real location and identity. To pay for hosting services and buy new domains, they only used stolen cards, according to Group-IB.

“Thanks to the Indonesian police and Interpol’s prompt actions, Operation Night Fury became the first successful multi-jurisdictional operation against the operators of JavaScript-sniffers in the Asia-Pacific region,” said Vesta Matveeva, head of Group-IB’s cyber investigations team in the region.

“It is a great example of coordinated cross-border anti-cyber crime effort, and we are proud that our threat intelligence and digital forensics expertise helped to establish the suspects. We hope this will set a precedent for law enforcement in other jurisdiction too,” she added.

In a separate incident that took place under a year ago, the payment card information belonging to thousands of customers of Singapore banks was believed to have been compromised by a JavaScript-sniffer and put up for sale on the dark web.

During their analysis of underground card shops, Group-IB’s threat hunting team discovered a spike in the sale of raw data of 4,166 compromised payment cards – including CVV, card number and expiration date – issued by Singapore banks.

Group-IB said the data was uploaded in April 2019, and that the spike took place on 1 April when a database containing data on 1,726 compromised cards was put up. The mean figure from January to August 2019 was 2,379 cards per month.