North Korean Hackers Behind Magecart Attacks on Online Stores
North Korean state-sponsored hackers have now extended their portfolio with the profitable card skimming attacks, also known as Magecart attacks. Hidden Cobra (or Lazarus Group) became the latest reported hacker group to launch a global skimming campaign since at least May 2019.
Recently, Sansec researchers found independent links between the global skimming activities and previously documented North Korea-linked hacking operations. Furthermore, the malware code patterns in multiple hacks also pointed towards the same actor being involved.
- According to the Sansec report, the North Korean hacker group Hidden Cobra used shared infrastructure (domain registrar and DNS service) to launch skimming attacks on US and European shoppers.
- Attackers gained unauthorized access to the store code of large retailers such as international fashion chain Claire’s to inject its malicious script into the store checkout page. Then the skimmer silently logged payment card details and exfiltrated data (such as credit card numbers) to a Hidden Cobra-controlled collection server.
- In the global web skimming campaign, they used sites like luxmodelagency[.]com, areac-agr[.]com, darvishkhan[.]net, technokain[.]com, etc and developed a global exfiltration network to monetize the skimming operations.
The Magecart attack trends
Recently, hackers have been involved in Magecart incidents to generate as much profit as they can.
- In June, attackers laid traps for various industries and organizations to scratch their attack surfaces using Magecart attacks.
- In the same month, cybercriminals infected three websites owned by Endeavor Business Media with the Magecart skimming code to take advantage of unsecured AWS S3 buckets.
Be super vigilant
To prevent threats like Magecart, use a web monitoring solution to detect any webpage tampering. Also, use Content Security Policy (CSP) to limit the external sources, and limit the use of third party code for website development.