North Korean Hackers Are Skimming US And European Shoppers
North Korean state sponsored hackers are implicated in the interception of online payments from American and European shoppers, Sansec research shows. Hackers associated with the APT Lazarus/HIDDEN COBRA group were found to be breaking into online stores of large US retailers and planting payment skimmers as early as May 2019, says the Sansec Threat Research Team. “Previously, North Korean hacking activity was mostly restricted to banks and South Korean crypto markets, covert cyber operations that earned hackers $2 billion, according to a 2019 United Nations report. As Sansec’s new research shows, they have now extended their portfolio with the profitable crime of digital skimming,” says the research team.
The researchers said they have identified many exfiltration nodes in the hackers’ network in recent months, including a New Jersey-based book store, a vintage music store from Tehran and a modelling agency in Milan.
In June last year, Sansec found that a US truck parts store that was infected with a payment skimmer. This skimmer used a compromised Italian modelling site to exfiltrate payment cards’ data to hackers. Although the malware was removed from the web store within 24 hours, it returned a week later, with some changes. Instead of using the compromised Italian site, the malware this time used a New Jersey-based book store to harvest customers’ payment card data.
In following months, the researchers found the same piece of malware on dozens of other online stores, all using any one of the following hijacked websites as loader and card collector:
Earlier this year, hackers registered some new domains resembling popular consumer brands. Subsequently, they compromised the web stores of three corresponding brands with payment skimming malware and used their anonymously registered domains as loader and card collector.
Lazarus group, also known as Hidden Cobra, gained notoriety in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.
Once a malicious individual or group has login credentials, they can quietly inject malicious code into the checkout page of a retail site. Much like a trojanized version of a legitimate mobile app, this is close to impossible for a consumer to spot, and if the retail organization doesn’t have proper security measures built in across all channels, they might not recognize the change in their code until it’s too late.
Traditionally, seeing a state-sponsored group carry out a card skimming campaign might seem curious, especially if it was a wealthier nation. Magecart is far less complex than what the world is accustomed to seeing from nation-states and is usually carried out by individuals or smaller groups for incremental financial gain. However, North Korea is so heavily sanctioned and struggles economically, so it will clearly use whatever tactics it can to get access to funds.
Code injection attacks like this are impossible for a consumer to see and incredibly difficult for an organization to spot if they don’t have the right security tools in place. Much like trojanizing a legitimate version of a mobile app, injecting malicious code into a webpage can be a cheap and easy way to grab a handful of valuable personal data.
So, what does this say about the group’s current TTPs and how they may have evolved over the years?
Lazarus Group has targeted financials for years with a past focus on institutions and online cryptocurrency exchanges. The addition of Magecart to their arsenal shows that they’re taking any measures possible to gain access to funds. By likely using phishing attacks to gain access to employee login credentials, it also shows that they are leveraging more parts of the risk landscape to covertly gain access to organizations’ infrastructure. Across the board, we’re seeing governments take on more complex means to track and compromise civilians for various reasons, such as the Chinese government targeting the Uighur population through mobile devices and applications.
Organizations need to lock down every potential risk vector – from customer payment platforms to employee mobile devices. By the same token of giving up their credit card data, an employee could be phished for their login credentials from their mobile device and give a malicious actor access to highly sensitive data inside the corporate infrastructure. Whatever angle is taken, now is a time where IT and security teams must evaluate every possible threat vector that an attacker could take advantage of.”
Brandon Hoffman, CISO, Head of Security Strategy at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, notes:
“It is certainly not a surprise that nation-state activity would crossover into the realm of cybercrime. It has been discussed in the intelligence circles for years that the boundary between nation state and cybercrime is becoming blurred. Nation state actors have been re-purposing, buying, and using more mainstream cybercrime tools and services to obfuscate their activity. The fact that nation state activity is now directly related to perpetrating attacks for financial gain is not a surprise because many of these countries need another source of funds to cover costs of teams and to fuel the real goals of nation state hacking. Magecart activity may be the first but won’t be the last. From their perspective, if they have the tools and skills to perform advanced persistent threat activity, why wouldn’t they use it to fill the coffers as well.
To the second point, considering the history of Lazarus group this shift to more transactional fraud activity makes sense. Back in 2018 a DOJ criminal complaint was unsealed that named one purported member of Lazarus group in activity related to stealing $81 million from a bank, the Sony attack, and even WannaCry ransomware. The fact that Lazarus group, purportedly, was involved in ransomware activity and bank fraud over the years speaks directly to the evolution of these TTPs as in line with the current cybercriminal landscape. I would expect them to keep pace with in vogue methods and techniques of fraud and exercise their opportunity when they can.”