IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

North Korean hackers linked to Magecart attack spree

Cyber criminals with ties to Lazarus have been intercepting checkouts on a global scale since at least May 2019

North Korean hackers with ties to Lazarus Group have pivoted to skimming online shopping platforms in recent months, following in the footsteps of the Magecart hacking collective.

Security researchers have found links between recent global skimming activity and previously documented North Korean hacking operations, particularly cyber criminals linked with the group known as Lazarus, or HIDDEN COBRA.

The infrastructure used by Lazarus Group operations has been reused for Magecart-like attacks, with distinctive patterns in the malware code identified, linking multiple hacks to the same group, according to a report published by Sansec.

Digital skimming activity is the interception of credit cards during online purchases and was a practice traditionally dominated by Russian and Indonesian cyber criminals. This is no longer the case, however, with North Korean hackers ramping up activity in this space aggressively since May 2019.

Thousands of sites are known to have fallen victim to ‘Magecart’ tactics over the last year or so, with this particular method of attack named after the collective that first targeted British Airways, Ticketmaster and Newegg in 2018. More than 17,000 domains were compromised by Magecart in July last year, meanwhile, in a massive ‘spray and prey’ attack targeting sites with misconfigured Amazon S3 buckets.

To intercept payments, an attacker must modify the computer code that runs the online store. Lazarus managed to gain access to the store code of large retailers, using as-of-yet unknown methods. One theory, however, is that spearphishing attacks were used to obtain the passwords of retail staff

Using this access, the attackers would then inject a malicious script into the store checkout page, and wait for a customer to make a transaction. Once a customer completes their purchase, the intercepted data is sent to a collection server.

Researchers with Sansec in June 2019 discovered a skimmer on a US track parts store using a compromised Italian modelling site to harvest payment data, with the same malware emerging a week later to target a New Jersey book store. 

Several domains were later registered in February and March 2020 resembling popular consumer brands, with Sansec subsequently finding the web stores of all three compromised with payment skimming malware. 

The three malware strains not only shared the same infrastructure, but also shared a snippet of code that Sansec had not observed elsewhere. After further analysis, the researchers concluded they had evidence that North Korean state-sponsored hackers have been engaging in large digital skimming operations since at least May 2019.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download


What is cyber warfare?

What is cyber warfare?

20 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Google Russia files for bankruptcy, ends operations in the country
Business operations

Google Russia files for bankruptcy, ends operations in the country

19 May 2022