Dubbed 'Operation Night Fury,' the investigation was led by Interpol's ASEAN Cyber Capability Desk, a joint initiative by law enforcement agencies of Southeast Asian countries to combat cybercrime.
The three hackers were arrested in December in Jakarta and Yogyakarta and charged with data theft, fraud, and unauthorized access to computer systems. The men face up to 10 years in prison under article 363 of the Indonesian Criminal Code.
To hide their real location and identity, the group used VPNs while connecting to their command-and-control servers and stolen payment cards to buy new domains.
Researchers from Sanguine Security have tracked the activity of this group for several years and believe they have compromised than 571 e-commerce stores.
Just like most of the other widespread Magecart attacks, the modus operandi behind this series of attacks also involved exploiting unpatched vulnerabilities in e-commerce websites powered by Magento and WordPress content management platforms.
Hackers then secretly implanted digital credit card skimming code—also known as web skimming or JS sniffers—on those compromised websites to intercept users' inputs in real-time and steal their payment card numbers, names, addresses and login details as well.
The attribution of the 571 attacks to this specific group is based on an odd message that was left in all of the skimming code they used:
“Success gan !” translates to “Success bro” in Indonesian.
According to the authorities, the suspects used stolen credit cards to buy electronic goods and other luxury items, and then resell on local e-commerce websites in Indonesia.
On an Indonesian news channel, one of the accused even admitted to hacking e-commerce websites and injecting web skimmers since 2017.
According to the experts from Sanguine Security, this group is responsible only for 1% of overall attacks carried out by groups under the Magecart umbrella, this means that many other hackers are ready to attack e-commerce sites worldwide.