Card Not Present Fraud , Cybercrime , Cyberwarfare / Nation-State Attacks

North Korean Hacking Infrastructure Tied to Magecart Hits

Hidden Cobra Stealing E-Commerce Payment Card Data, Security Firm Sansec Reports
North Korean Hacking Infrastructure Tied to Magecart Hits
Attacks traced to the same campaign that uses North Korean hacking infrastructure make use of a deceptively named component called "__preloader" (Source: Sansec)

Hackers with apparent ties to North Korea have extended their bag of online attack tricks beyond cryptocurrency mining, online bank heists and ransomware. Now, they're also hitting e-commerce merchants in the U.S. and Europe to steal payment card data.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

So says Dutch security firm Sansec, which reports that it has found the same malicious infrastructure backing multiple Magecart-style attack campaigns as has been seen in attacks previously attributed to Lazarus, aka Hidden Cobra, which refers to hackers with apparent ties to the Pyongyang-based government of North Korea, led by Kim Jong-Un.

"Sansec has established multiple, independent links to previously documented North Korean hacking activity," the firm says in a new report, noting that the North Korean activity appears to date to at least May 2019.

"To monetize the skimming operations, Hidden Cobra developed a global exfiltration network," Sansec says. "This network utilizes legitimate sites that got hijacked and repurposed to disguise the criminal activity. The network is also used to funnel the stolen assets so they can be sold on dark web markets."

Some of the legitimate sites that have been used as "exfiltration nodes" for stolen payment card data include sites run by a Milan modeling agency, a vintage music store in Tehran as well as "a family-run book store" in New Jersey, Sansec says.

Hidden Cobra Operations

Hidden Cobra is the U.S. government's nickname for one or more hacking teams run by the Pyongyang-based North Korean government, officially known as the Democratic People's Republic of Korea. Hidden Cobra appears to have been active since at least 2009, and is also known as DarkSeoul, the Guardians of Peace, Silent Chollima, Bureau 121 and Lazarus group.

Magecart refers to the types of card-data-scraping tools, used by a number of criminals, which provide so-called digital card skimming or scraping capabilities that allow them to steal card data from e-commerce platforms. Previous victims of this style of attack have included British Airways, Ticketmaster UK and jewelry and accessories retailer Claire's.

Sansec, which is one of a number of firms that scan the web for signs of Magecart attacks, says that it typically turns up 30 to 100 newly infected e-commerce stores per day.

Among the findings that led Sansec to suggest that North Korea has been carrying out Magecart attacks: A number of the attacks it spotted use pieces of malware, including a malicious loader, and a remote-access Trojan with a hardcoded IP address - used as a command-and-control server - that have been previously tied to North Korean operations. Sansec says the IP address has also previously been used by phishing campaigns, attributed to North Korea, to download malicious code onto victims' systems. Many of the attacks tied to that infrastructure also install a deceptively named component called "__preloader" onto hacked sites.

Sansec says this long-running attack campaign also stands out because it appears to be much better planned and less opportunistic. "The DPRK-linked attacks all show extended preparation and customization, whereas most previous Magecart attacks were opportunistic, automated campaigns that went after the weakest targets - e.g. stores with known vulnerabilities," Dutch security researcher Willem de Groot, lead forensic analyst and founder of Sansec - formerly known as Sanguine Security - tells Information Security Media Group. "We have reason to believe that the DPRK-linked actors used spear-phishing attacks against selected retailers. The ramification is that large store operators require much stronger security procedures than, say, last year. Technical measures are required but are certainly not enough."

Claire's Hack

Sansec says the Hidden Cobra infrastructure has been used to hit at least several dozen e-commerce operations, including the online operations of Claire's.

Diagram shows a subset of victim stores (in green) and Hidden Cobra-controlled exfiltration nodes (in red), together with (in yellow) a uniquely identifying modus operandi - aka tactics, techniques and procedures. (Source: Sansec)

The attack against Claire's, which dates to April, was spotted by Sansec and disclosed to the Hoffman Estates, Illinois-based retailer last month. At the time, Claire's confirmed the attack to ISMG and said it took immediate action to fix it.

"Claire's got 'Magecarted' right after locking down for COVID," de Groot told ISMG last month, noting that Claire's Salesforce Commerce Cloud had been hit.

How the attackers using Hidden Cobra infrastructure were able to access Claire's Salesforce instance remains unknown - or at least undisclosed by the retailer. But the new Sansec report notes that "attackers often use spear-phishing attacks - booby-trapped emails - to obtain the passwords of retail staff," and then gain access to online e-commerce systems.

"Using the unauthorized access, Hidden Cobra injects its malicious script into the store checkout page," it says. "The skimmer waits for keystrokes of unsuspecting customers. Once a customer completes the transaction, the intercepted data - such as credit card numbers - are sent to a Hidden Cobra-controlled collection server."

The homepage for Claire's in mid-June, when Sansec found the company's website had been hacked in an attack it now attributes to Hidden Cobra

Magecart Tactics

Magecart refers to a set of tactics - used by multiple groups - to steal payment card data from websites. "Magecart is simply the term we have for an MO that is as follows: 'Webskimming for payment information,'" Yonathan Klijnsma, a threat researcher at RiskIQ, has told ISMG (see: Magecart Cybercrime Groups Harvest Payment Card Data).

Early Magecart attacks, which began around 2015, saw hackers sneak JavaScript onto e-commerce pages to copy card data when customers checked out, and route the card data directly to attackers. But the attacks have evolved significantly since then, both in terms of attack capabilities and the malicious infrastructure being used to support these campaigns, to the point that by the end of 2018, researchers counted more than 100,000 e-commerce sites as having been infected - and sometimes re-infected - with Magecart code.

After stealing payment card data, Magecart attackers will typically route the data to underground credit card shops for sale, according to security firm RiskIQ. From there, buyers will then typically use money mules to try to convert the payment card numbers into cash or to buy and ship stolen goods.

"The DPRK-linked attacks all show extended preparation and customization, whereas most previous Magecart attacks were opportunistic, automated campaigns that went after the weakest targets - e.g. stores with known vulnerabilities"
—Willem de Groot, Sansec

Sansec says early Magecart attacks were largely the provenance of Russian and Indonesian gangs, although it notes that the North Koreans now also appear to be getting a piece of the criminal action - and in a sophisticated enough manner to potentially net large sums.

"The level of sophistication shows that more resources are allocated towards compromising large stores," de Groot says. "Also, DPRK hacking campaigns were previously associated with illicit revenues of hundreds of millions of dollars. The potential profit from digital skimming may not be far off."

Sanctions Target Pyongyang

What can be done to stop these attacks? Security experts say all organizations that maintain an e-commerce presence should carefully monitor their infrastructure to ensure that it hasn't been suborned by hackers.

On the geopolitical front, meanwhile, in September 2019, the U.S. Treasury Department sanctioned three alleged North Korean state-sponsored hacking groups that have been blamed for the WannaCry ransomware outbreak, online bank heists via the SWIFT interbank transfer system - including the Bangladesh Bank attack - as well as the destructive malware attack against Sony Pictures Entertainment.

North Korean leader Kim Jong-un, pictured in December 2017 (Photo: KCNA)

The sanctions specifically named Lazarus group, as well as two subgroups - Bluenoroff and Andariel - and banned members of the alleged hacking groups from accessing any property within the United States. Also, U.S. citizens are banned from doing any type of business with the groups.

But are such sanctions effective? Pyongyang has long been targeted by multiple sanctions, which have made it more difficult for the company to import or export many goods.

In response, it has embraced the internet to give it asymmetric money-making capabilities, to the extent that it has been able to drive $2 billion into developing its missile and nuclear-weapon programs (see: North Korean Hacking Funds WMD Programs, UN Report Warns).

The report also found evidence of "continued violations" of sanctions that have helped the Pyongyang-based regime obtain not only prohibited weapons components, but also luxury goods.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.