Threat Watch

North Korea’s Lazarus Threat Group Connected to Magecart Credit Card Theft

Researchers working for the security firm Sansec released a report documenting previously undisclosed evidence that the Advanced Persistent Threat (APT) group known as Lazarus, which is believed to be backed by the government of North Korea, has engaged in the digital theft of credit and debit card account details from online merchants since at least May 2019. Previous reports of threat activity attributed to the group include theft of cryptocurrency, theft of money from banks, and other actions that are more often associated with cyber-criminal groups than nation state espionage. Because North Korea operates under international sanctions, it is not surprising that the government continues to resort to theft and the sale of stolen goods as a source of income. The attacks against online merchants detailed in Sansec’s report follow the typical pattern of Magecart attacks—malicious JavaScript is injected into websites to collect the credit card or debit card details entered by clients during the checkout process, and the stolen information is sent to other compromised servers under the control of the threat actors. From there, the card records are organized into batches and sold on underground markets known as “carding shops” where other criminals purchase the card details in bulk and use them to make fraudulent purchases. The researchers were able to link the activity to Lazarus group through overlaps in the domain names and other infrastructure used to steal card details with other attacks attributed to Lazarus group.

ANALYST NOTES

Although this is the first time the Lazarus group has been linked to the theft of credit cards from online merchants, that does not change the recommended approach for defenders of e-commerce websites. Security personnel should be aware of phishing attacks or other theft of passwords used by website administrators, which could be used to alter the scripts on an e-commerce server. Multi-Factor Authentication (MFA) should be used to prevent the theft or guessing of one password from compromising the entire site. File integrity monitoring software should be used to detect unauthorized changes to any script or HTML file hosted on the server, and a sandbox technology should be used to defend against any changes or unexpected behavior from third-party scripts hosted on other servers.