Hackers backed by the North Korean government are behind online credit card "skimming" attacks targeting US and European consumers that have been ongoing for more than a year, researchers have revealed
According to new research from Dutch IT security firm Sansec, notorious hacking group Lazarus, also known as Hidden Cobra, has targeted various e-commerce stores in the US, Europe, and Iran since May 2019, injecting payment card skimming codes
The digital skimming attack, now commonly referred to as "Magecart," involves fraudsters hacking into e-commerce websites and injecting malicious code used to steal customers' credit card information for online shopping
"Previously, North Korea's hacking activities were largely confined to banks and South Korea's crypto [currency] market, a covert cyber operation that earned hackers $2 billion, according to a 2019 United Nations report," said Sansec researchers
"As Sansec's new research shows, they are now expanding their portfolio with the lucrative crime of digital skimming
The Lazarus Group is behind the 2014 attack that stole and destroyed data at Sony Pictures, the 2016 theft of $100 million from Bangladesh Bank, and the 2017 WannaCry disk-wiping worm that caused hundreds of millions of dollars worth of damage worldwide It is widely believed
Sansec claims that hackers were able to access "store codes of large retailers," including US fashion accessories retailer Claire's
Researchers do not know exactly how the Lazarus Group was able to hack into the payment systems of these retailers, but suggested that the hackers utilized spear-phishing attacks to "obtain the passwords of retailers' staff"
"Using unauthorized access, HIDDEN COBRA injects malicious scripts into store checkout pages," the researchers explained [The skimmer waits for keystrokes from unsuspecting customers Once the customer completes the transaction, the intercepted data (eg, credit card number) is sent to a collection server managed by HIDDEN COBRA
To make money by launching such attacks, hackers have created a global network of outflows
"This network uses legitimate sites that have been hijacked and repurposed to disguise criminal activity," the researchers explained
"The network is also used to enable stolen assets to be sold on dark web markets; Sansec has identified a number of these leaked nodes, including a modeling agency in Milan, a vintage music store in Tehran, and a family-owned bookstore in New Jersey
The attacks could be traced back to North Korea via malicious domains such as technokaincom, Darvishkhannet, and areac-agrcom
"Sansec has found evidence of global skimming activity with multiple independent links to previously documented hacking activity attributed to North Korea; Sansec believes that since at least May 2019, North Korean state-sponsored actors have been engaged in large-scale digital skimming activity We believe that they are engaged in this activity"
It is not easy to ascertain whether a particular website has been compromised by credit card skimming, as the details are usually buried deep in the website code
However, one should check their credit card statements at least monthly and report any anomalies to the card issuing institution (usually the bank) immediately
Also, debit cards should not be used online because they withdraw money directly from your bank account Fraudsters who get hold of your debit card number may quickly try to wipe out your account before you or your bank realize it
Comments