North Korean state sponsored hackers have been stealing payment card information from customers of large retailers in the U.S. and Europe for at least a year.The group, known as Lazarus or Hidden Cobra, has been compromising online stores of large US retailers and injecting payment skimmers since at least May 2019, a new research from Dutch cyber-security firm Sansec reveals.

Digital skimming, otherwise known as Magecart attacks, has become a growing threat over the past few years and involves stealing credit card data from customers of online shops. To do this threat actors use so called web skimmers, which are malicious scripts that copy the sensitive information from the checkout page.

While investigating a series of credit card thefts the researchers discovered that web skimmers were downloaded from domains previously attributed to Hidden Cobra. According to researchers, the hackers have gained access to the store code of large retailers such as international fashion chain Claire’s and planted a malicious script into the store checkout page that allowed them to intercept credit card data that customers entered on the checkout page. The gathered information was then sent to attacker’s controlled server.

Although Sansec has yet to find out how exactly the hackers have managed to hack the online stores, the firm said that hackers typically use spear phishing attacks to obtain the passwords of retail staff.

According to the report, the victims include accessories giant Claire’s, Wongs Jewellers, Focus Camera, Paper Source, Jit Truck Parts, CBD Armour, Microbattery, Realchems and others.

“To monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity. The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family run book store from New Jersey,” the researchers said.

Sansec attributed these hacks to HIDDEN COBRA because of several similarities such as shared infrastructure previously associated to North Korean hacking operations:

• technokain.com (spearphishing operations)

• darvishkhan.net (malspam 1, 2)

• areac-agr.com (download server for Dacls RAT)

• papers0urce.com (IP shared with areac-agr.com, hardcoded in a Dacls sample)

“The common code, behavior, registrar and DNS server are unique traits that link these cases to the same source,” the researchers said.