North Korean hackers linked to Magecart attack spree
Cyber criminals with ties to Lazarus have been intercepting checkouts on a global scale since at least May 2019


North Korean hackers with ties to Lazarus Group have pivoted to skimming online shopping platforms in recent months, following in the footsteps of the Magecart hacking collective.
Security researchers have found links between recent global skimming activity and previously documented North Korean hacking operations, particularly cyber criminals linked with the group known as Lazarus, or HIDDEN COBRA.
The infrastructure used by Lazarus Group operations has been reused for Magecart-like attacks, with distinctive patterns in the malware code identified, linking multiple hacks to the same group, according to a report published by Sansec.
Digital skimming activity is the interception of credit cards during online purchases and was a practice traditionally dominated by Russian and Indonesian cyber criminals. This is no longer the case, however, with North Korean hackers ramping up activity in this space aggressively since May 2019.
Thousands of sites are known to have fallen victim to ‘Magecart’ tactics over the last year or so, with this particular method of attack named after the collective that first targeted British Airways, Ticketmaster and Newegg in 2018. More than 17,000 domains were compromised by Magecart in July last year, meanwhile, in a massive ‘spray and prey’ attack targeting sites with misconfigured Amazon S3 buckets.
To intercept payments, an attacker must modify the computer code that runs the online store. Lazarus managed to gain access to the store code of large retailers, using as-of-yet unknown methods. One theory, however, is that spearphishing attacks were used to obtain the passwords of retail staff.
Using this access, the attackers would then inject a malicious script into the store checkout page, and wait for a customer to make a transaction. Once a customer completes their purchase, the intercepted data is sent to a collection server.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Researchers with Sansec in June 2019 discovered a skimmer on a US track parts store using a compromised Italian modelling site to harvest payment data, with the same malware emerging a week later to target a New Jersey book store.
Several domains were later registered in February and March 2020 resembling popular consumer brands, with Sansec subsequently finding the web stores of all three compromised with payment skimming malware.
The three malware strains not only shared the same infrastructure, but also shared a snippet of code that Sansec had not observed elsewhere. After further analysis, the researchers concluded they had evidence that North Korean state-sponsored hackers have been engaging in large digital skimming operations since at least May 2019.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
Why are many men in tech blind to the gender divide?
In-depth From bias to better recognition, male allies in tech must challenge the status quo to advance gender equality
By Keri Allan
-
BenQ PD3226G monitor review
Reviews This 32-inch monitor aims to provide the best of all possible worlds – 4K resolution, 144Hz refresh rate and pro-class color accuracy – and it mostly succeeds
By Sasha Muller