Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea

Hackers linked to the North Korean government appear to be behind the Magecart attacks on fashion retailer Claire’s and other online stores, Netherlands-based e-commerce security company Sansec reported on Monday.

Hackers linked to the North Korean government appear to be behind the Magecart attacks on fashion retailer Claire’s and other online stores, Netherlands-based e-commerce security company Sansec reported on Monday.

Threat actors linked to North Korea have been known to launch — in addition to espionage and destructive campaigns — financially-motivated attacks, including against cryptocurrency exchanges and banks. These profit-driven attacks are believed to have helped Pyongyang raise significant amounts of money.

Sansec believes North Korean hackers, tracked by many as Lazarus and Hidden Cobra, have also targeted online stores in Magecart-style attacks. The cybersecurity firm believes the threat actor has launched these types of skimming attacks since at least May 2019. The campaign has been linked to North Korea based on overlaps in infrastructure and malware code.

According to Sansec, the hackers injected a malicious script into the checkout pages of targeted online stores in order to intercept payment card and other information entered by the shop’s customers. The collected data was then exfiltrated through a network that leveraged compromised websites, including ones belonging to a bookstore in the United States, a music store in Iran, and a modeling agency in Italy.

One of the victims of the Hidden Cobra skimming operations was a truck parts store in the US, which the hackers compromised in mid-2019. They leveraged the Italian modeling website to exfiltrate stolen information.

In more recent attacks, the hackers targeted Claire’s, photography and imaging retailer Focus Camera, and stationary and gift retailer Paper Source, all based in the United States. The attack on Claire’s was disclosed in mid-June, but the fake domain used by the attackers was set up in March, shortly after the company announced closing its physical stores due to the coronavirus pandemic.

As for the link between these Magecart attacks and North Korean hackers, Sansec has identified the use of several domains that were previously linked to North Korean campaigns by other cybersecurity companies.

“Does the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations? Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely,” the Sansec Threat Research Team said in a blog post.

Advertisement. Scroll to continue reading.

“First, thousands of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors,” it added.

Related: Magecart Hackers Target U.S. Cities Using Click2Gov

Related: Magecart Skimming Attack Hits Hundreds of Campus e-Commerce Sites

Related: Magecart Hackers Continue Improving Skimmers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.