Hackers linked to the notorious North Korean Lazarus group are breaking into online stores and stealing customer credit card details when customers visit checkout pages. The attacks, known as “page plunder” or “Magecart attacks,” have been going on since May 2019 and have hit large retailers such as international fashion chain Claire’s.
SanSec, a Dutch cybersecurity firm, reported the attacks. It writes that digital predatory technology has been on the rise since 2015, and that while traditionally used by Russian and Indonesian hacker groups, government-backed North Korean criminals are now intercepting credit card details in online stores.
Attacks involve gaining access to the back-end servers of the storefront, usually by sending booby traps to employees to obtain their passwords. Hackers infiltrated the website of jewelry store Claire’s in April and June. Once a website is compromised, malicious scripts are loaded on the checkout page and stolen when credit card details are entered into a form. Once the transaction is complete, the intercepted data is sent to a collection server controlled by the hacker organization and sold on the dark web.
The group has established a global penetration network to profit from the predatory operations. This includes hijacking and reusing legitimate websites as a cover for criminal activity and transporting stolen assets. A modeling agency in Milan, an antique music store in Tehran and a family-run bookstore in New Jersey are all part of the network.
Sansec researchers have found a link between the activity and previous North Korean hacking. The evidence points to Hidden Cobra, also known as the Lazarus Group, which was behind the 2014 Sony Pictures hack and the 2016 Bank robbery in Bangladesh and is widely believed to have been responsible for the WannaCry malware.