The websites of multiple retailers in the US and Europe have been compromised by the Magecart credit card skimmer following a series of cyberattacks which are believed to have been launched by the North Korean state-sponsored advanced persistent threat (APT) group Lazarus.
Up until now, North Korean hacking activity was limited to banks and South Korean cryptocurrency markets and the country's covert cyber operations have earned hackers $2bn, according to a report released last year by the UN.
As reported by Computer Weekly (opens in new tab), Sansec researcher Willem de Groot first discovered the new campaign that has been operating for over 12 months.
- North Korean malware could still pose major threat
- Microsoft takes down 50 North Korean hacking sites
- Many online stores are being hit by this old vulnerability
De Groot believes the campaign is financially motivated as obtaining hard currency can be difficult for North Korea and its government. The stolen payment card details acquired from Magecart can be sold from between $5 and $30 on dark web forums which means that the operation has likely been quite lucrative for the Lazarus group.
Global skimming campaign
According to a blog post (opens in new tab) from Sansec, the Lazarus group used the sites of an Italian modeling agency and a vintage music store in Tehran to run its global skimming campaign.
In order to monetize its skimming operations, the group developed a global exfiltration network that utilizes compromised websites as a disguise for its criminal activity. The network is also used to funnel the stolen assets so that they can be sold on dark web markets.
Sansec research connected the dots to lead back to the Lazarus group after it identified multiple, independent links between recent skimming activity and previously documented North Korean hacking operations. The firm believes that the group used spear phishing attacks to obtain staff passwords to online retail sites. Once inside, the hackers injected the malicious Magecart script into these store's checkout pages where the skimmer was able to collect customer's payment data.
It was first discovered that hackers had infiltrated these sites back in June of last year and Sansec has been tracking the campaign ever since through unique identifying characteristics and distinctive patterns in the skimmer's code.
- Keep your devices protected online with the best antivirus software
Via Computer Weekly (opens in new tab)