According to new research, North Korean’s cybercriminals have been stealing information related to payment of cards from customers of large stores in the U.S. and Europe for at least one year.
Attributed to the Lezarus (Hidden Cobra) group of state-sponsored hackers, the fraudulent activity used genuine websites to exfiltrate the stolen credit card data and smokescreen the operation.
Over the last few years, stealing credit card information from customers of online stores has become a rising threat. Called MageCart attacks, these are conducted by threat actors that depend on malicious scripts that duplicate the important information from the checkout page.
While examining the payment card thefts, investigators at web security company Sansec revealed that skimmers were loaded from domains that served malware in effective spear–phishing attacks accredited to North Korean (DPRK) hacker activity, especially Lazarus group.
This allocation of the setup along with exclusive categorizing characteristics in the code helped connect the dots and rack up the card skimming attacks to North Korea. The victims include accessories giant Claire’s, Wongs Jewellers, and the list is much larger, which includes lots of stores.
Registration of domain names akin to those of victim shops is another approach that seems to bear fruits for Hidden Cobra.
SanSec’s results are part of a bigger picture of North Korean government-funded hacking operations. A number of government-backed groups engage in cyber-spying activities only, but North Korea, because of sanctions that are ruining its economy, also employs state hackers to collectbfunds for its government.
North Korean hackers have been connected with cyber-thefts at banks across the world, in addition to being involved in ATM heists and ATM cash-outs. They are also known to odity malware off the subversive cybercrime market, and have been lately found planning COVID-19 phishing campaigns.
They have also been accused of creating the notorious WannaCry ransomware, creating ripples in the IT world in May 2017. It’s believed that WannaCry was a failed attempt at producing a ransomware strain to use in extracting victims for money to raise funds for North Korea.