Multiple retailers hit by new North Korea cyberattack

North Korean hackers deployed Magecart to launch a global credit card skimming campaign

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The websites of multiple retailers in the US and Europe have been compromised by theMagecart credit card skimmerfollowing a series of cyberattacks which are believed to have been launched by the North Korean state-sponsored advanced persistent threat (APT) group Lazarus.

Up until now, North Korean hacking activity was limited to banks and South Korean cryptocurrency markets and the country’s covert cyber operations haveearned hackers $2bn, according to a report released last year by the UN.

As reported byComputer Weekly, Sansec researcher Willem de Groot first discovered the new campaign that has been operating for over 12 months.

De Groot believes the campaign is financially motivated as obtaining hard currency can be difficult for North Korea and its government. The stolen payment card details acquired from Magecart can be sold from between $5 and $30 ondark web forumswhich means that the operation has likely been quite lucrative for the Lazarus group.

Global skimming campaign

According to ablog postfrom Sansec, the Lazarus group used the sites of an Italian modeling agency and a vintage music store in Tehran to run its global skimming campaign.

In order to monetize its skimming operations, the group developed a global exfiltration network that utilizes compromised  websites as a disguise for its criminal activity. The network is also used to funnel the stolen assets so that they can be sold on dark web markets.

Sansec research connected the dots to lead back to theLazarus groupafter it identified multiple, independent links between recent skimming activity and previously documented North Korean hacking operations. The firm believes that the group usedspear phishingattacks to obtain staff passwords to online retail sites. Once inside, the hackers injected the malicious Magecart script into these store’s checkout pages where the skimmer was able to collect customer’s payment data.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

It was first discovered that hackers had infiltrated these sites back in June of last year and Sansec has been tracking the campaign ever since through unique identifying characteristics and distinctive patterns in the skimmer’s code.

ViaComputer Weekly

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Dangerous Android banking malware looks to trick victims with fake money transfers

Sophos Firewall hack on government network used an all-new custom malware

Zenless Zone Zero Version 1.3 adds two new playable agents, new story content, and special events