Connect with us

Hi, what are you looking for?



Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea

Hackers linked to the North Korean government appear to be behind the Magecart attacks on fashion retailer Claire’s and other online stores, Netherlands-based e-commerce security company Sansec reported on Monday.

Hackers linked to the North Korean government appear to be behind the Magecart attacks on fashion retailer Claire’s and other online stores, Netherlands-based e-commerce security company Sansec reported on Monday.

Threat actors linked to North Korea have been known to launch — in addition to espionage and destructive campaigns — financially-motivated attacks, including against cryptocurrency exchanges and banks. These profit-driven attacks are believed to have helped Pyongyang raise significant amounts of money.

Sansec believes North Korean hackers, tracked by many as Lazarus and Hidden Cobra, have also targeted online stores in Magecart-style attacks. The cybersecurity firm believes the threat actor has launched these types of skimming attacks since at least May 2019. The campaign has been linked to North Korea based on overlaps in infrastructure and malware code.

According to Sansec, the hackers injected a malicious script into the checkout pages of targeted online stores in order to intercept payment card and other information entered by the shop’s customers. The collected data was then exfiltrated through a network that leveraged compromised websites, including ones belonging to a bookstore in the United States, a music store in Iran, and a modeling agency in Italy.

One of the victims of the Hidden Cobra skimming operations was a truck parts store in the US, which the hackers compromised in mid-2019. They leveraged the Italian modeling website to exfiltrate stolen information.

In more recent attacks, the hackers targeted Claire’s, photography and imaging retailer Focus Camera, and stationary and gift retailer Paper Source, all based in the United States. The attack on Claire’s was disclosed in mid-June, but the fake domain used by the attackers was set up in March, shortly after the company announced closing its physical stores due to the coronavirus pandemic.

As for the link between these Magecart attacks and North Korean hackers, Sansec has identified the use of several domains that were previously linked to North Korean campaigns by other cybersecurity companies.

Advertisement. Scroll to continue reading.

“Does the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations? Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely,” the Sansec Threat Research Team said in a blog post.

“First, thousands of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors,” it added.

Related: Magecart Hackers Target U.S. Cities Using Click2Gov

Related: Magecart Skimming Attack Hits Hundreds of Campus e-Commerce Sites

Related: Magecart Hackers Continue Improving Skimmers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...