News

IS experts discovered connection between North Korean hackers and MageCart attacks

Specialists from the Dutch information security company SanSec have discovered that the hacker group Lazarus (aka Hidden cobra) practices web-skimming and hacks online stores. They also managed to find connection between North Korean hackers and MageCart attacks.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious codes) on the pages of online stores to steal bank card data.

But this approach turned out to be so successful that the group soon had numerous imitators, and the name MageCart became a common name, and now it unites a whole class of such attacks. If in 2018 RiskIQ researchers identified 12 such groups, then by the end of 2019, according to IBM, there were already about 40 of them.

Let me remind you that hackers even managed to inbuild a Magecart script to collect bulling information on Forbes subscription website.

“During such attacks, hackers usually gain access to the server of the online store, any related resources or third-party widgets, and are able to download and run malicious code”, – say SanSec researchers.

Typically, a web skimmer is downloaded only on the checkout page and automatically steals the payment card data when the user enters them at checkout. This data is sent to a remote server, controlled by cybercriminals, and hackers collect it, use it themselves or sell it on the darknet.

Mass attacks on online stores have been ongoing approximately since mid-2018. Among the most significant victims of recent attacks are Wongs Jewelers, Focus Camera, Paper Source, Jit Truck Parts, CBD Armor, Microbattery, Realchems and Claire’s.

A recent SanSec report connects specific domains and IP addresses used for recent MageCart attacks on US stores with the previously known hacker infrastructure of “government” hackers. So, SanSec founder Willem de Groot writes that the gathered evidence indicates that the famous North Korean hack group Lazarus may stand behind a series of attacks on American stores.

“How Hidden cobra gained access (to compromised stores) is still unknown, but attackers often use phishing attacks (malicious emails) to retrieve passwords of employees from the retail industry”, — write the expert.


Green is a hacked store. Red – Lazarus-controlled data extraction nodes. Yellow – unique techniques linking attacks and malicious code.

I also remind you that hackers hide MageCart web skimmers in image metadata and even managed to hide malicious code behind favicon.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Techlottads.top pop-up ads (Virus Removal Guide)

Techlottads.top is a site that tries to trick you into clik to its browser notifications…

3 mins ago

Remove Streamcompletelysophisticatedthe-file.top pop-up ads (Virus Removal Guide)

Streamcompletelysophisticatedthe-file.top is a domain that tries to trick you into clik to its browser notifications…

4 mins ago

Remove Womadds.club pop-up ads (Virus Removal Guide)

Womadds.club is a domain that tries to trick you into subscribing to its browser notifications…

33 mins ago

Remove Controlchek.site pop-up ads (Virus Removal Guide)

Controlchek.site is a domain that tries to force you into subscribing to its browser notifications…

33 mins ago

Remove Boot-upextremelysophisticatedthe-file.top pop-up ads (Virus Removal Guide)

Boot-upextremelysophisticatedthe-file.top is a site that tries to force you into clik to its browser notifications…

34 mins ago

Remove News-xheluza.cc pop-up ads (Virus Removal Guide)

News-xheluza.cc is a domain that tries to trick you into subscribing to its browser notifications…

4 hours ago