After targeting banks and bitcoin wallets, Pyongyang’s cyber-mercenaries prey on consumer base by applying the tactics of Magecart groups.
Kim Jong-un’s hackers have found a new way to get rich: hack e-commerce sites in Europe and the United States and steal consumers’ credit card data. This hacking, which is designated by the generic term “Magecart”, is nothing original. It consists in injecting on the merchant site a JavaScript code which will transfer the data of bank cards at the time of the act of purchase.
Several Russian and Indonesian groups have specialized in this niche in recent years. But now they have to deal with this new competitor who, until now, was content to hack banks and empty bitcoin wallets.
Detected by Sansec security researchers, this new activity dates back to at least May 2019, with around ten infected merchant sites: fashion stores (Claire’s, WongsJewellers), CBD oil sales sites. or pharmaceutical products (CBD Armor, Realchems), sellers of technical equipment (MicroBattery, Jit Truck Parts), etc.
Credit card data is not directly transferred to hacker servers, but first circulates through other websites that North Korean hackers have also hacked, possibly to muddy the waters. It is these intermediary sites that allow Sansec to establish the link with North Korea, as they have been used in campaigns by the famous group Hidden Cobra alias Lazarus, which notably hacked Sony Pictures and created WannaCry.
Source: Sansec