North Korean hackers linked to web skimming (Magecart) attacks, report says

After hacking banks and cryptocurrency exchanges, orchestrating ATM cash-outs, and deploying ransomware, North Korean hackers have now set their sights on online stores.
Written by Catalin Cimpanu, Contributor

(Image: via file footage/CBSNews.com)

North Korea's state-sponsored hacking crews are breaking into online stores to insert malicious code that can steal buyers' payment card details as they visit the checkout page and fill in payment forms.

Attacks on online stores have been going on since May 2019, said Dutch cyber-security firm SanSec in a report published today.

The highest-profile victim in this series of hacks is accessories store chain Claire's, which was breached in April and June this year.

These types of attacks are named "web skimming," "e-skimming," or "Magecart attack," with the last name coming from the name of the first group who engaged in such tactics.

Web skimming attacks are simple in nature, although they require advanced technical skills from hackers to execute. The goal is for hackers to gain access to a web store's backend server, associated resources, or third-party widgets, where they can install and run malicious code on the store's frontend.

The code loads only on the check out page, and silently logs payment card details as they're entered into checkout forms. This data is then exfiltrated to a remote server, from where hackers collect it and sell it on underground cybercrime markets.

Web skimming attacks usually require hackers to operated a large infrastructure to host the malicious code or run collection points.

The SanSec report links domains and server IP addresses used in recent web skimming attacks to previously-known North Korean state-sponsored hacking infrastructure.

SanSec founder Willem de Groot said evidence points back to Hidden Cobra (or Lazarus Group), the codename given by the US Department of Homeland Security to Pyongyang's elite state-operated hacking crews.

Image: SanSec

Green = hacked store
Red = Hidden Cobra controlled exfiltration nodes
Yellow = Unique technique linking the attacks and malicious code

"How HIDDEN COBRA got access is yet unknown, but attackers often use spearphishing attacks (booby-trapped emails) to obtain the passwords of retail staff," de Groot said today.

North Korean hackers dabble in cybercrime

SanSec's findings are part of a larger picture of North Korean state-sponsored hacking operations. While many government-backed groups engage in cyber-espionage activities only, North Korea, due to sanctions that are crippling its economy, also uses state hackers to gather funds for its government.

Pyongyang's hackers have been linked to cyber-heists at banks all over the globe, have been involved in ATM heists and ATM cash-outs, have orchestrated cryptocurrency scams, and have breached cryptocurrency exchanges.

They are also known to regularly buy commodity malware off the underground cybercrime market, and have been recently spotted planning COVID-19 phishing campaigns.

North Korean hackers have also been blamed for creating the infamous WannaCry ransomware, which brought a large part of the IT world to its knees in May 2017. Authorities and experts said WannaCry was a botched attempt at creating a ransomware strain to use in extorting victims for money to raise funds for the Pyongyang regime.

As a result of North Korea's brazen hacking campaigns, in September 2019, the US Treasury Department imposed sanctions on business entities it believed were associated with three hacking groups, and which US officials claimed were front companies used to raise funds for North Korea's weapons and missile programs.

The fact that North Korean hackers have been involved in web skimming incidents is not a surprise to industry experts, as they've historically gravitated towards any type of cybercrime that can generate a profit.

Europol’s top hacking ring takedowns

Editorial standards