North Korean Hackers Behind Magecart Attacks

North Korean hackers appear to have been breaking into US e-commerce stores since May 2019 and planting digital skimming code to make money for the hermit nation.

Researchers at Sansec claimed today that the notorious Lazarus (Hidden Cobra) group was behind attacks on at least several dozen stores, including a recent high-profile raid on US accessories retailer Claire’s.

It’s unclear how the attackers gained access to the victims’ back-end systems, although spear-phishing against retail staff is a distinct possibility.

“To monetize the skimming operations, Hidden Cobra developed a global exfiltration network. This network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity,” Sansec continued.

“The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family run book store from New Jersey.”

The researchers linked various elements of the attacks to previous North Korean activity, including domains such as technokain.com, darvishkhan.net and areac-agr.com where malware and skimmers have been launched from.

“Does the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations? Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely,” argued Sansec.

“First, t ..

Support the originator by clicking the read the rest link below.