September 21, 2023

North Korea’s state-sponsored hacking crews are breaking into online stores to insert malicious code that can steal buyers’ payment card details as they visit the checkout page and fill in payment forms.

These types of attacks are named “web skimming,” “e-skimming,” or “Magecart attack,” with the last name coming from the name of the first group who engaged in such tactics.

Web skimming attacks are simple in nature, although they require advanced technical skills from hackers to execute. The goal is for hackers to gain access to a web store’s backend server, associated resources, or third-party widgets, where they can install and run malicious code on the store’s frontend.

The code loads only on the check out page, and silently logs payment card details as they’re entered into checkout forms. This data is then exfiltrated to a remote server, from where hackers collect it and sell it on underground cybercrime markets.

Web skimming attacks usually require hackers to operated a large infrastructure to host the malicious code or run collection points.

The SanSec report links domains and server IP addresses used in recent web skimming attacks to previously-known North Korean state-sponsored hacking infrastructure.

Researchers said evidence points back to Hidden Cobra (or Lazarus Group), the code name given by the US Department of Homeland Security to Pyongyang’s elite state-operated hacking crews.


Green = hacked store
Red = Hidden Cobra controlled exfiltration nodes
Yellow = Unique technique linking the attacks and malicious code


North Korean state-sponsored hacking operations. While many government-backed groups engage in cyber-espionage activities only, North Korea, due to sanctions that are crippling its economy, also uses state hackers to gather funds for its government.

Pyongyang’s hackers have been linked to cyber-heists at banks all over the globe, have been involved in ATM heists and ATM cash-outs, have cryptocurrency scam and have breached cryptocurrency exchanges.

North Korean hackers have also been blamed for infamous Wannacry attack, which brought a large part of the IT world to its knees in May 2017. Authorities and experts said WannaCry was a botched attempt at creating a ransomware strain to use in extorting victims for money to raise funds for the Pyongyang regime.

The fact that North Korean hackers have been involved in web skimming incidents is not a surprise to industry experts, as they’ve historically gravitated towards any type of cybercrime that can generate a profit.

Leave a Reply

%d bloggers like this: