Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea

Hackers linked to the North Korean government appear to be behind the Magecart attacks on fashion retailer Claire’s and other online stores, Netherlands-based e-commerce security company Sansec reported on Monday.

Threat actors linked to North Korea have been known to launch — in addition to espionage and destructive campaigns — financially-motivated attacks, including against cryptocurrency exchanges and banks. These profit-driven attacks are believed to have helped Pyongyang raise significant amounts of money.

Sansec believes North Korean hackers, tracked by many as Lazarus and Hidden Cobra, have also targeted online stores in Magecart-style attacks. The cybersecurity firm believes the threat actor has launched these types of skimming attacks since at least May 2019. The campaign has been linked to North Korea based on overlaps in infrastructure and malware code.

According to Sansec, the hackers injected a malicious script into the checkout pages of targeted online stores in order to intercept payment card and other information entered by the shop’s customers. The collected data was then exfiltrated through a network that leveraged compromised websites, including ones belonging to a bookstore in the United States, a music store in Iran, and a modeling agency in Italy.

One of the victims of the Hidden Cobra skimming operations was a truck parts store in the US, which the hackers compromised in mid-2019. They leveraged the Italian modeling website to exfiltrate stolen information.

In more recent attacks, the hackers targeted Claire’s, photography and imaging retailer Focus Camera, and stationary and gift retailer Paper Source, all based in the United States. The attack on Claire’s was disclosed in mid-June, but the fake domain used by the attackers was set up in March, shortly after the company announced closing its physical stores due to the coronavirus pandemic.

As for the link between these Magecart attacks and North Korean hackers, Sansec has identified the use of several domains that were previously linked to North Korean campaigns by other cybersecurity companies.

“Does the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations? Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely,” the Sansec Threat Research Team said in a blog post.

“First, thousands of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors,” it added.

Related: Magecart Hackers Target U.S. Cities Using Click2Gov

Related: Magecart Skimming Attack Hits Hundreds of Campus e-Commerce Sites

Related: Magecart Hackers Continue Improving Skimmers