It really does take a village of vigilantes to snare borderless cybercriminals these days.
The arrest came as a result of a joint operation “Night Fury” initiated by INTERPOL’s ASEAN Cyber Capability Desk (ASEAN Desk) that involved Indonesian Cyber Police (BARESKRIM POLRI (Dittipidsiber)) and Group-IB’s APAC Cyber Investigations Team.
GetBilling family was first described in Group-IB’s 2019 report that took a deep dive into the world of JS‑sniffers. According to the author of the report Viktor Okorokov, threat intelligence analyst at Group-IB, at the time of the report’s publication, 38 families of JS-sniffers were in circulation. Ever since, the number of JS-sniffer families, discovered by the company, has almost doubled and continues to grow.
JS‑sniffers have caused many security incidents in past—the infection of the British Airways website and mobile app, payment-card attack on the UK website of the international company FILA etc—and continue to gain popularity among cybercriminals. Most recently, in December 2019, JS-sniffers hit the APAC infecting the websites of Singaporean fashion brand Love, Bonito.
Young hackers in custody
In December 2019, three suspects with the initials “ANF” (27 y.o.), “K” (35 y.o.), and “N” (23 y.o.) were arrested in two different regions in Indonesia — Special Region of Yogyakarta and Special Capital Region of Jakarta—as part of the joint operation “Night Fury” carried out by Indonesian Cyber Police and INTERPOL with the help of Group-IB’s Cyber Investigations team.
Said Craig Jones, INTERPOL’s Director of Cybercrime: “Strong and effective partnerships between police and the cybersecurity industry are essential to ensure law enforcement worldwide has access to the information they need to address the scale and complexity of today’s cyberthreat landscape. This successful operation is just one example of how law enforcement are working with industry partners, adapting and applying new technologies to aid investigations and ultimately reduce the global impact of cybercrime.”
Adding comment was police superintendent Idam Wasiadi, Cybercrime Investigator at Directorate of Cybercrime, CID of the Indonesian National Police: “There are many challenges and obstacles in cross-border hi-tech crime investigations like this. The Night Fury Operation showed that these obstacles could only be overcome with close collaboration between national law enforcement, international organizations and private companies. Effective multi-jurisdictional coordination of efforts between Indonesia’s Cyber Police, INTERPOL and Group-IB allowed to attribute the crimes, establish the perpetrators behind the JS-sniffer and arrest them. But more importantly to protect the community and raise public awareness about the problem of cybercrime and its impact.”
How it all unravelled
Group-IB had been tracking the GetBilling JS-sniffer family since 2018. The analysis of infrastructure that was controlled by the suspected operators of GetBilling arrested in Indonesia, carried out by Group-IB’s Cyber Investigations team, revealed that the gang had managed to infect nearly 200 websites in Indonesia, Australia, Europe, the United States, South America, and others. However, the investigation in other ASEAN countries continues, and the number of websites infected with GetBilling family is likely to be higher.
According to the investigation, stolen payment data was used by the suspects to buy goods, such as electronic devices or other luxury items, which they tried to resell online in Indonesia at below the market price.
Group-IB Cyber Investigations team determined that some of the GetBilling’s infrastructure was located in Indonesia. Upon discovery of this information, INTERPOL’s ASEAN Desk promptly notified Indonesian cyber police. Further investigation discovered that the GetBilling’s operators were not new to the world of cybercrime. To access their servers for stolen data collection and their JS-sniffers’ control, they always used VPN to hide their real location and identity. To pay for hosting services and buy new domains the gang members only used stolen cards. Despite that, Indonesian cyber police in cooperation with INTEPROL and Group-IB’s Cyber Investigations team managed to establish that the group was operating from Indonesia.
To avoid big financial losses due to JS-sniffers, it is recommended for online users to have a separate pre-paid card for online payments, set spending limits on cards used for online shopping, or even use a separate bank account exclusively for online purchases. Online merchants, at their end, need to keep their software updated and carry out regular cybersecurity assessments of their websites.