Skip to main content

Report: North Korea targets U.S. retailers for online fraud

Hackers sponsored by the government of North Korea are reportedly stealing payment card data from customers of U.S. e-commerce retailers.

According to e-commerce security software provider Sansec, members of the Hidden Cobra hacking group, which the U.S. Department of Justice has publicly associated with the North Korean government, have been illegally placing payment skimmers into the e-commerce sites of several American retailers since at least May 2019.

Sansec analysis indicates the hackers are using “Magecart” attacks, which install JavaScript on an e-commerce site to collect payment card data and send it to the attacker every time a customer makes a purchase. Magecart malware is designed to only run malicious script when a customer purchase is in progress, making it extremely hard to detect.

The Sansec report says Hidden Cobra has hijacked a number of legitimate websites around the globe to help extract stolen card data from online retailers and then transmit it for eventual resale on the dark web. These include sites for a modeling agency in Milan, Italy; a music shop in Tehran, Iran, and a bookstore in Wayne, N.J. 

Retailers affected by the Hidden Cobra hack reportedly include Claire’s, Focus Camera, and Paper Source. The hackers are also said to have created a fake Claire’s e-commerce site for the purpose of fraudulently collecting consumer payment card data.

“Digital skimming attacks are a lucrative source of revenue for hackers,” said Ameet Naik, security evangelist at Web security provider PerimeterX. “This series of attacks used a combination of lookalike domains and legitimate websites, all controlled by the attackers, as a means of exfiltrating the stolen data. The use of such techniques makes it difficult to prevent Magecart attacks using pre-configured policies alone. Businesses require real-time client-side application protection to stop malicious script activity on their websites, prevent data breaches and avoid their customer data from being used to fuel more cybercrime.”

This ad will auto-close in 10 seconds