Research released earlier today connects North Korean nation-state hacking group Lazarus to a campaign that lasted over a year and targeted payment card information of customers of large US and European based retailers. The group allegedly used legitimate websites to exfiltrate stolen credit card data from the companies, known as a MageCart attack. Lazarus relied on malicious scripts such as web skimmers that copy the sensitive payment information from the checkout page.
Researchers at Sansec discovered that the skimmers were loaded from domains that also dished out malware in spear-phishing attacks previously attributed to North Korean hacker activity, specifically the Lazarus group. Sansec then analyzed the attack infrastructure and unique identifying characteristics, concluding that the skimming campaign was connected to North Korea. Victims of the campaign include Claire’s, Paper Source, Wongs Jewellers, Focus Camera, CBD Armour, Realchems, and Microbattery, however, the full list of victims includes dozens of stores.
Read More: North Korean hackers linked to credit card stealing attacks on US stores