Hidden Cobra threat actors are behind a series of attacks aimed at U.S. and European shoppers, using Magecart to skim credit card information from retailers.
“Researchers have attributed the activity to HIDDEN COBRA because infrastructure from previous operations was reused,” according to a report from Sansec, which also identified distinctive patterns in the malware code “that linked multiple hacks to the same actor.”
The hackers, once known primarily for their attacks on banks and South Korean crypto markets, recently have trained their focus on skimming as incidents at retailers Claire’s, Focus Camera and Paper Source have shown.
“Digital skimming attacks are a lucrative source of revenue for hackers. The data stolen from an attack on the Volusion e-commerce platform in 2019, for example, was valued at $133 million on the dark web,” said Ameet Naik, security evangelist at PerimeterX.
Hidden Cobra developed a global exfiltration network using legitimate sites that had been attacked and repurposed like those of an Italian modeling agency, a vintage music store in Tehran and a family-run bookstore in New Jersey, Sansec said.
“Given the economic situation in North Korea, it would be no surprise to see their cyberwarfare units spreading more broadly into the world of cybercrime,” said Saryu Nayyar, CEO at Gurucul. “These Magecart attacks have been observed since 2015, which indicates we still have a way to go towards securing our e-commerce applications.”
Noting that the “series of attacks used a combination of lookalike domains and legitimate websites, all controlled by the attackers, as a means of exfiltrating the stolen data,” Naik said, “The use of such techniques makes it difficult to prevent Magecart attacks using pre-configured policies alone.”