North Korea's Lazarus hackers are planting skimmers on US and European retail websites, researchers warn

The group has developed a global exfiltration network that uses hijacked websites to transfer stolen assets to attackers

Researchers at cyber security firm Sansec claim to have found evidence to suggest that North Korean state-sponsored actors are planting skimmers on the web stores of many American and European retailers in efforts to steal payment card details of unsuspecting shoppers.

The activities have been ongoing since at least May 2019, the researchers say, and can be attributed to hackers linked with the North Korean-backed Lazarus group.

Sansec's new research shows that in the last year, Lazarus has been able to infiltrate web stores of many retailers, such as international fashion chain Claire's. The group has also developed a global exfiltration network that uses authentic websites to transfer stolen assets to attackers. These websites are first hijacked and then repurposed to mask the malicious activities of the hackers.

The researchers said they have identified many exfiltration nodes in the hackers' network in recent months, including a New Jersey-based book store, a vintage music store from Tehran and a modelling agency in Milan.

In June last year, Sansec found that a US truck parts store that was infected with a payment skimmer. This skimmer used a compromised Italian modelling site to exfiltrate payment cards' data to hackers.

Although the malware was removed from the web store within 24 hours, it returned a week later, with some changes. Instead of using the compromised Italian site, the malware this time used a New Jersey-based book store to harvest customers' payment card data.

In following months, the researchers found the same piece of malware on dozens of other online stores, all using any one of the following hijacked websites as loader and card collector:

• Technokain[dot]com
• Stefanoturco[dot]com
• areac-agr[dot]com
• Darvishkhan[dot]net
• signedbooksandcollectibles[dot]com
• luxmodelagency[dot]com

Earlier this year, hackers registered some new domains resembling popular consumer brands. Subsequently, they compromised the web stores of three corresponding brands with payment skimming malware and used their anonymously registered domains as loader and card collector.

Lazarus group, also known as Hidden Cobra, gained notoriety in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.

According to cyber security firm Group-IB, this notorious group stole more than $600 million worth of cryptocurrency in 2017 and 2018.

Earlier this year, security vendor Kaspersky warned that Lazarus was updating its attack tactics in efforts to remain undetected during cryptocurrency stealing campaigns.

In May, Malwarebyes researchers said that they have identified a new variant of the Dacls Remote Access Trojan (RAT) which was likely designed by Lazarus to target devices running Mac operating system.