Hacker working on laptop showing North Korean hackers focusing heavily on Magecart attacks

New Study Reveals That North Korean Hackers Are Focusing Heavily on Magecart Attacks

North Korean hackers have leaned heavily on cybercrime to bring money into the reclusive regime for years. The country’s state-sponsored advanced persistent threat (APT) groups have been implicated in ransomware, attacks on ATMs and theft of cryptocurrency funds among other schemes that have pulled in a collective $2 billion. A new study from Dutch cybersecurity firm SanSec indicates that the country’s hackers have now moved on to a heavy focus on Magecart attacks.

These attacks focus on planting malicious code in online shopping carts, particularly the widely-used Magento system. They are essentially the digital version of the credit card skimmers that thieves install on ATMs and gas pumps. The attacks often target individual stores, but can also be directed at payment processors to compromise hundreds of their clients at once.

North Korean hackers on trend

The North Korean hackers are in line with a recent general uptick in Magecart attacks, which have seen a particularly sharp spike since the Covid-19 restrictions became common across the world in March. In recent months, more sophisticated techniques have also emerged that enable attackers to skim credit card information while also allowing a successful transaction to go through. This puts even PCI-compliant services, which were previously thought to be highly resistant to Magecart attacks, at risk.

The SanSec report indicates that North Korean hackers switched focus to Magecart attacks long before Covid-19, however, getting underway in May 2019. The primary culprits are APT 38, also known as Lazarus Group and Hidden Cobra. This is the group thought to have compromised Sony in 2014 and have been behind the WannaCry ransomware outbreak of 2017 among other high-profile criminal activity. SanSec bases this assessment on distinctive patterns in the malware code and infrastructure seen in previous attacks by North Korean hackers.

SanSec believes that the North Korean hackers have compromised at least several dozen online stores around the world, the largest of which thus far has been the fashion accessory chain Claire’s. The standard modus operandi is to target employees of retail stores with spear phishing attacks, delivered from domain names that closely resemble the name of the store. Employee login credentials are then used to slip the malicious code into the payment processing pages of the site. The money is laundered out through a global exfiltration network of legitimate small business sites that have been compromised, and the credit card numbers are sold on dark web markets.

Though the use of phishing attacks as the initial point of entry is mostly speculation, SanSec did uncover one concrete link between a domain used by the North Korean hackers and prior phishing attacks that passed malicious documents pointing to it. The attack focused on attendees of the annual Consumer Electronics Show (CES) in Las Vegas in 2019 and attempted to pass Microsoft Office documents containing malicious macros that attempted to install remote access software from the domain in question.

Magecart attacks continue to be a major threat

Magecart attacks are expected to remain popular for the foreseeable future, but particularly as countries remain locked down due to the pandemic and online shopping is up. Thousands of sites are compromised by these attacks each month.

Hank Schless, Senior Manager of Security Solutions at Lookout, notes that the common entry point of phishing attacks is the most effective place to shut down Magecart attacks: “Magecart-like skimming campaigns can be difficult to track and protect against … the majority of compromises begin with a phishing communication … Code injection attacks like this are impossible for a consumer to see and incredibly difficult for an organization to spot if they don’t have the right security tools in place.”

Schless also notes that this is not likely to become a trend among nation-states. North Korea is in a unique position due to widespread sanctions and is going for lower-hanging fruit out of necessity: “Traditionally, seeing a state-sponsored group carry out a card skimming campaign might seem curious, especially if it was a wealthier nation. Magecart is far less complex than what the world is accustomed to seeing from nation-states and is usually carried out by individuals or smaller groups for incremental financial gain. However, North Korea is so heavily sanctioned and struggles economically, so it will clearly use whatever tactics it can to get access to funds.”

Previous Magecart attacks were mostly the province of independent cyber criminals operating out of Russia and Indonesia. Given the track record of success established by the North Korean hackers, it is likely that there will be an uptick among less sophisticated operators. SanSec makes something of a speciality of monitoring general Magecart activity across the internet (finding 30 to 100 infected stores per day), and reports having seen prefabricated “skimming kits” aimed at less technical operators appearing for sale on dark web forums since 2018. The “Magecart attacks” moniker may also need to be retired as this type of attack can potentially be directed against any type of online payment system.

In addition to putting a strong emphasis on anti-phishing measures (which are the leading means by which sites get hacked), CEO of Gurucul Saryu Nayyar suggests that e-commerce sites need to take potential vendor vulnerabilities much more seriously: “Companies don’t have enough visibility into their external web-facing attack surfaces, or into the security of their 3rd party supply chains. Improving visibility into that space and applying advanced security analytics can help by identifying the attack behavior early in the cycle before it can compromise customer data.”

In terms of organizational security measures Ameet Naik, security evangelist at PerimeterX, adds: “This series of attacks used a combination of lookalike domains and legitimate websites, all controlled by the attackers, as a means of exfiltrating the stolen data. The use of such techniques makes it difficult to prevent Magecart attacks using pre-configured policies alone. PerimeterX researchers recently reported on a technique where common services like Google Analytics could be abused to exfiltrate stolen data. Businesses require real-time client-side application protection to stop malicious script activity on their websites, prevent data breaches and avoid their customer data from being used to fuel more cybercrime.”