North Korea-linked hackers have been stealing payment card data from customers of large retailers in the U.S. and Europe for at least a year.
Sansec researchers reported that North Korea-linked Lazarus APT group has been stealing payment card information from customers of large retailers in the U.S. and Europe for at least a year.
The threat actors compromised legitimate websites to exfiltrate the stolen credit card data using an e-skimmer.
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
Researchers were investigating e-skimming attacks when noticed that the malicious code was loaded from domains that were involved in spear-phishing campaign attributed to the Lazarus APT.
The e-skimmer code used in the attacks shared the same codebase, the list of victims includes dozens of stores such as the accessories giant Claire’s, Focus Camera, CBD Armour, Microbattery, and Realchems.
To fly under the radar, the attackers compromised websites of legitimate businesses to run the skimming campaign. The attackers compromised sites belonging to an Italian model agency (Lux Model Agency), a vintage music store from Tehran, and a bookstore in New Jersey,
“To monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity.” reads the report published by the researchers. “The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family run book store from New Jersey.”
North Korean hackers also used to register domain names similar to those of victim shops to avoid being detected while exfiltrating payment card data. This tactic is quite common in Magecart-style attacks.
The Sansec researchers linked the exfiltration domains used in multiple attacks to Pyongyang. Threat actors use one of the following hijacked sites as loader and card collector:
- stefanoturco.com (between 2019-07-19 and 2019-08-10)
- technokain.com (between 2019-07-06 and 2019-07-09)
- darvishkhan.net (between 2019-05-30 and 2019-11-26)
- areac-agr.com (between 2019-05-30 and 2020-05-01)
- luxmodelagency.com (between 2019-06-23 and 2020-04-07)
- signedbooksandcollectibles.com (between 2019-07-01 and 2020-05-24)
Researchers provided details for each of the campaigns they have analyzed.
In some attacks, the malware disappeared in 24 hours from the compromised site and re-appeared on the same store after a few days, in the meantime stolen data were redirected to another domain.
The researchers pointed out that they cannot exclude that these attacks could be powered by other threat actors, but the likelihood is very low.
“Sansec has found proof of global skimming activity that has multiple, independent links to previously documented, North Korea attributed hacking operations. Sansec believes that North Korean state sponsored actors have engaged in large scale digital skimming activity since at least May 2019.” concludes the researchers.