North Korean government-backed hackers are behind a wave of online credit-card "skimming" attacks on American and European consumers that has been going on for more than a year, researchers say.
According to new research from Dutch IT security firm Sansec (opens in new tab), the infamous Lazarus hacking group, also known as Hidden Cobra, has been targeting and injecting payment-card-skimming code into a range of e-commerce stores in the U.S., Europe and Iran beginning in May 2019.
- The best antivirus apps to keep all your devices safe
- Best VPN: add an extra layer of security with a virtual private network
- Just in: Mozilla VPN – all you need to know and how it compares to the rest
Digital skimming, now commonly called "Magecart," attacks involves crooks hacking into e-commerce websites and injecting malicious code that is used to steal customers' credit-card details as they shop online.
“Previously, North Korean hacking activity was mostly restricted to banks and South Korean crypto[currency] markets, covert cyber operations that earned hackers $2 billion, according to a 2019 United Nations report,” said Sansec researchers. “As Sansec’s new research shows, they have now extended their portfolio with the profitable crime of digital skimming.”
The Lazarus Group is widely believed to be behind the 2014 attack that stole and destroyed data at Sony Pictures, the 2016 theft of $100 million from the Bank of Bangladesh and the 2017 WannaCry disk-wiping worm that caused hundreds of millions of dollars' worth of damage worldwide.
- More: Sure your Apple device is secure? Check out what a Mac VPN offers
Sansec claims the hackers were able to “gain access to the store code of large retailers”, including U.S. fashion accessories retailer Claire’s.
The researchers aren’t exactly sure how the Lazarus Group was able to hack into the payment systems of these retailers, but suggested that the hackers leveraged spear phishing attacks to “obtain the passwords of retail staff".
“Using the unauthorized access, HIDDEN COBRA injects its malicious script into the store checkout page,” explained the researchers.
“The skimmer waits for keystrokes of unsuspecting customers. Once a customer completes the transaction, the intercepted data -- such as credit card numbers -- are sent to a HIDDEN COBRA-controlled collection server."
To launch and make money from these attacks, the hackers set up a global exfiltration network.
“This network utilizes legitimate sites that got hijacked and repurposed to serve as disguise for criminal activity," the researchers explained.
“The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family-run bookstore from New Jersey.”
The attacks were traced back to North Korea via malicious domains like technokain.com, Darvishkhan.net and areac-agr.com.
“Sansec has found proof of global skimming activity that has multiple, independent links to previously documented, North Korea attributed hacking operations. Sansec believes that North Korean state sponsored actors have engaged in large scale digital skimming activity since at least May 2019.”
It's not easy to see whether a particular website has been compromised by credit-card skimmers, since the details are usually buried deep in the website's code.
However, you should check your credit-card statements at least every month, and report anything amiss to your card's issuing organization -- usually a bank -- immediately.
You also don't want to use debit cards online, as those withdraw money directly from your bank account, and crooks who get hold of debit-card numbers may try to clean out your account quickly before you or your bank have a chance to notice.