Update: North Korean hackers linked to web skimming (Magecart) attacks

Update: North Korean hackers linked to web skimming (Magecart) attacks

(Image: via file footage/CBSNews.com)

North Korea's state-sponsored hacking crews are breaking into online stores to insert malicious code that can steal buyers' payment card details as they visit the checkout page and fill in payment forms.


Attacks on online stores have been going on since May 2019, said Dutch cyber-security firm SanSec in a report published today.


The highest-profile victim in this series of hacks is accessories store chain Claire's, which was breached in April and June this year.


These types of attacks are named "web skimming," "e-skimming," or "Magecart attack," with the last name coming from the name of the first group who engaged in such tactics.


Web skimming attacks are simple in nature, although they require advanced technical skills from hackers to execute. The goal is for hackers to gain access to a web store's backend server, associated resources, or third-party widgets, where they can install and run malicious code on the store's frontend.

The code loads only on the check out page, and silently logs payment card details as they're entered into checkout forms. This data is then exfiltrated to a remote server, from where hackers collect it and sell it on underground cybercrime markets.


Web skimming attacks usually require hackers to operated a large infrastructure to host the malicious code or run collection points.

The SanSec report links domains and server IP addresses used in recent web skimming attacks to previously-known North Korean state-sponsored hacking infrastructure.


SanSec founder Willem de Groot said evidence points back to update north korean hackers linked skimming magecart attacks