Show vulnerabilities with patch / with exploit
6 July 2020

North Korean hackers pivot from cryptocurrency theft and ransomware campaigns to online skimming


North Korean hackers pivot from cryptocurrency theft and ransomware campaigns to online skimming

North Korean state sponsored hackers have been stealing payment card information from customers of large retailers in the U.S. and Europe for at least a year.The group, known as Lazarus or Hidden Cobra, has been compromising online stores of large US retailers and injecting payment skimmers since at least May 2019, a new research from Dutch cyber-security firm Sansec reveals.

Digital skimming, otherwise known as Magecart attacks, has become a growing threat over the past few years and involves stealing credit card data from customers of online shops. To do this threat actors use so called web skimmers, which are malicious scripts that copy the sensitive information from the checkout page.

While investigating a series of credit card thefts the researchers discovered that web skimmers were downloaded from domains previously attributed to Hidden Cobra. According to researchers, the hackers have gained access to the store code of large retailers such as international fashion chain Claire’s and planted a malicious script into the store checkout page that allowed them to intercept credit card data that customers entered on the checkout page. The gathered information was then sent to attacker’s controlled server.

Although Sansec has yet to find out how exactly the hackers have managed to hack the online stores, the firm said that hackers typically use spear phishing attacks to obtain the passwords of retail staff.

According to the report, the victims include accessories giant Claire’s, Wongs Jewellers, Focus Camera, Paper Source, Jit Truck Parts, CBD Armour, Microbattery, Realchems and others.

“To monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity. The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family run book store from New Jersey,” the researchers said.

Sansec attributed these hacks to HIDDEN COBRA because of several similarities such as shared infrastructure previously associated to North Korean hacking operations:

  • technokain.com (spearphishing operations)

  • darvishkhan.net (malspam 1, 2)

  • areac-agr.com (download server for Dacls RAT)

  • papers0urce.com (IP shared with areac-agr.com, hardcoded in a Dacls sample)

“The common code, behavior, registrar and DNS server are unique traits that link these cases to the same source,” the researchers said.

Back to the list

Latest Posts

Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020
Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020