{"id":35903,"date":"2020-07-06T06:00:05","date_gmt":"2020-07-06T06:00:05","guid":{"rendered":"http:\/\/aa0594a0-de9b-4db7-b3fa-9aab8e8e7e81"},"modified":"2020-07-06T06:00:05","modified_gmt":"2020-07-06T06:00:05","slug":"north-korean-hackers-linked-to-web-skimming-magecart-attacks-report-says","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/north-korean-hackers-linked-to-web-skimming-magecart-attacks-report-says\/","title":{"rendered":"North Korean hackers linked to web skimming (Magecart) attacks, report says"},"content":{"rendered":"
\"kim-jong-un-generic-north-korea\"<\/span>
<\/p>\n

(Image: via file footage\/CBSNews.com)<\/p>\n

<\/span><\/figcaption><\/figure>\n

North Korea’s state-sponsored hacking crews are breaking into online stores to insert malicious code that can steal buyers’ payment card details as they visit the checkout page and fill in payment forms.<\/p>\n

Attacks on online stores have been going on since May 2019, said Dutch cyber-security firm SanSec in a report<\/a> published today.<\/p>\n

The highest-profile victim in this series of hacks is accessories store chain Claire’s<\/a>, which was breached in April and June this year.<\/p>\n

These types of attacks are named “web skimming,” “e-skimming,” or “Magecart attack,” with the last name coming from the name of the first group who engaged in such tactics.<\/p>\n

Web skimming attacks are simple in nature, although they require advanced technical skills from hackers to execute. The goal is for hackers to gain access to a web store’s backend server, associated resources, or third-party widgets, where they can install and run malicious code on the store’s frontend.<\/p>\n

The code loads only on the check out page, and silently logs payment card details as they’re entered into checkout forms. This data is then exfiltrated to a remote server, from where hackers collect it and sell it on underground cybercrime markets.<\/p>\n

Web skimming attacks usually require hackers to operated a large infrastructure to host the malicious code or run collection points.<\/p>\n

<\/section>\n

The SanSec report links domains and server IP addresses used in recent web skimming attacks to previously-known North Korean state-sponsored hacking infrastructure.<\/p>\n

SanSec founder Willem de Groot said evidence points back to Hidden Cobra<\/a> (or Lazarus Group), the codename given by the US Department of Homeland Security to Pyongyang’s elite state-operated hacking crews.<\/p>\n

\"sansec-nk.png\"<\/span>