Attribution is notoriously difficult. However, pointing at the DPRK gives any infosec firm a reasonable chance of being correct…:
[…] Attacks on online stores have been going on since May 2019, said Dutch cyber-security firm SanSec in a report published today.
The highest-profile victim in this series of hacks is accessories store chain Claire’s, which was breached in April and June this year.
These types of attacks are named “web skimming,” “e-skimming,” or “Magecart attack,” with the last name coming from the name of the first group who engaged in such tactics.
Web skimming attacks are simple in nature, although they require advanced technical skills from hackers to execute. The goal is for hackers to gain access to a web store’s backend server, associated resources, or third-party widgets, where they can install and run malicious code on the store’s frontend.
The code loads only on the check out page, and silently logs payment card details as they’re entered into checkout forms. This data is then exfiltrated to a remote server, from where hackers collect it and sell it on underground cybercrime markets.
Web skimming attacks usually require hackers to operated a large infrastructure to host the malicious code or run collection points.
The SanSec report links domains and server IP addresses used in recent web skimming attacks to previously-known North Korean state-sponsored hacking infrastructure.
SanSec founder Willem de Groot said evidence points back to Hidden Cobra (or Lazarus Group), the codename given by the US Department of Homeland Security to Pyongyang’s elite state-operated hacking crews.
Green = hacked store
Red = Hidden Cobra controlled exfiltration nodes
Yellow = Unique technique linking the attacks and malicious code
“How HIDDEN COBRA got access is yet unknown, but attackers often use spearphishing attacks (booby-trapped emails) to obtain the passwords of retail staff,” de Groot said today.