The rapid and recent rise of cyber threat actor group Indonesian Cyber Jawa represents a pivot within the Indonesian cyber underground towards a more sophisticated attack toolkit from a relatively underrepresented underground criminal faction. The group is concentrating its defacement efforts on online retailers while simultaneously attempting to defraud targets in the same business vertical. 

  • Beginning in 2017, the website https://defacer[.]id began tracking and ranking Indonesian threat actors involved in the defacement of websites; the majority of websites attacked and defaced are Indonesian based. Zone-xsec[.]com, another website that tracks Indonesian threat actor groups interested in defacing websites, appeared in mid-2020; the majority of these websites attacked and defaced are American and retail-based.
  • Indonesian Cyber Jawa consistently ranks high on zone-xsec[.]com and claims at least 3,103 website defacements since mid-2020. The actors now, however, are taking the skills reaped from website defacement to grow into the online retail fraud space beyond Indonesia.
  • On 18 May 2020, Indonesia Cyber Jawa began to document its exploits on a blog, including guides on carding and Google Dorking, in both Indonesian and English, probably in an effort to increase recognition and reputational capital beyond the Indonesian cyber threat community.

After the group has compromised user data in its possession, they take the attack on step further by exploiting the credentials to conduct e-commerce fraud. The threat actor group leverages the compromised credentials for two different methods of ‘carding’:

  • If a bad actor has access to a PC, the individual should follow certain steps, such as setting up a VPN and an American telephone number, then purchase an item under $500 USD from the retailer. The instructions further specify that the actor should ship items to family members in the U.S. or use a US-based drop shipping company.
  • If a bad actor has access only to a mobile device, the group recommends the creation of a Gmail account matching the name of the victim on the stolen credit card, to be used in the account creation process. This method, however, should be used to purchase products in their home country.

Vigilante warns that the rise of this particular group’s defacement activity coupled with their tutorial on carding indicates an emerging Indonesian-based threat to general website security and an increase in e-commerce account takeover attacks. These Indonesia-based attacks will most likely emanate from the attackers’ mobile devices because of the lack of ubiquitous access to a desktop computer or laptop, as about 13.89 out of every 1000 own a computer in Indonesia[1].

  • Moreover, the primary web server of choice for Indonesian cyber threat actors employed to deface websites on defacer[.]id is NGNIX because of its faster processing and more efficient consumption of RAM, and due to the lack of consistent and reliable access to 3G and 4G networks in Indonesia.
  • The web server of choice for cyber groups on zone-xsec[.]com is Apache. This potentially indicates increased access to computers and a general interest in retail websites running Apache webservers by Indonesian threat actors.

[1] www.nationmaster[.]com