Posted on July 8, 2020 at 2:23 PM
A recent report reveals that North Korean hackers are involved in web skimming attacks. This is coming after the hacking group deployed the ransomware, carried out ATM cash-outs, and hacked cryptocurrency exchanges and banks.
The report revealed that the North Korean-backed hacking group is infiltrating online stores and inserting malicious code that steals payment card details of buyers when they visit the checkout page to pay with their credit card details.
There has been a massive increase in online purchases as the recent COVID-19 pandemic has forced governments to enforce stay-at-home rules. Those who would normally go out shopping have joined the online buyers. As a result, hackers are taking every opportunity to hack and steal the credit card details of buyers.
The Korean hackers, previously known for their cyber espionage, have now expanded their approach to cybercrime to raise money for the Korean government.
Hackers targeting online stores since last year
In a report published today, Netherlands-based cybersecurity firm SanSec said hackers have been attacking online stores since May last year.
Since the attack began, accessories store chain Claire’s has been the highest-profile victim when it was infiltrated earlier in April and last month.
The attacks on these buyers are referred to as “Magecart attack,” “e-skimming,” or “web skimming,” with the first name representing the first hacking group that first initiated the type of attack.
E-skimming attack is simple
Although web skimming attack requires a level of sophistication and use of technical tools from the hackers, they are simple in nature. The main idea for the hackers is for them to pass through the backend server of a web store, third-party widgets, or associated resources. After gaining access, they will proceed by installing and running malicious code on the store’s frontend.
The code loads only on the checkout page, and quietly logs payment details when they are entered into check out forms. Thereafter, the data is sent to the hackers’ remote server where they retrieve it and sell it on the darknet.
An e-skimming attack generally requires the hacker to operate a large infrastructure that will run collection points or host the malicious code.
According to the report by SanSec, the attackers’ IP address and the domains used in recent e-skimming have been used by a hacking infrastructure previously utilized by the North Korean state-sponsored hacking syndicate.
Hackers have affiliations with the Lazarus Group
Willem de Groot, SanSec founder, there is strong evidence that the hacking incidents were orchestrated by the notorious Lazarus Group (also known as Hidden Cobra).
Groot said it’s not clear how the hackers were able to gain access to steal the card details.
“How HIDDEN COBRA got access is yet unknown, but attackers often use spearphishing attacks to obtain the passwords of retail staff,” he pointed out.
Increased cybercrime from North Korean hackers
According to the findings by SanSec, the North Korean hackers are dabbling into cybercrime, unlike other state-sponsored hacking groups who engage only in cyber espionage. The security firm reported that apart from engaging in cyber espionage, the North Korean hackers also try to steal information they can sell to raise money for the country’s crippling economy.
The severe sanction international bodies placed on the country is affecting them financially. As a result, the hacking group is also engaged in cybercrime to raise funds for its government.
North Korean Hackers involved in series of hacking campaigns
Pyongyang’s hackers have been involved in cyberattacks on several banks all over the world. They have also been linked with ATM cash-outs and ATM heists, as well as the infiltration of cryptocurrency exchanges.
Additionally, they have been discovered planning COVID-19 based phishing campaigns. They also buy commodity malware from the darknet to use in launching attacks on different organizations.
Also, they have been accused of the creation of the infamous WannaCry ransomware in 2017, which affected many companies in the IT industry all over the world.
Experts and several authorities said the WannaCy was a failed attempt to launch a ransomware strain that would be used in stealing money for the Pyongyang regime.
The recent web skimming exercise by the North Korean group is not coming as a surprise to anyone, knowing the history of the group as they have expanded towards any cybercrime that can yield some financial gains.