News Lazarus grouping is suspected of stealing payment card data of customers in the USA and Europe


Jun 28, 2020
Reaction score
Criminals used legitimate websites to steal credit card information and disguise their transactions.


Sansec specialists reported a large-scale malicious campaign to steal payment card data from customers of large retailers in the US and Europe. In fraudulent activities that researchers suspected the Lazarus group (also known as Hidden Cobra), criminals used legitimate websites to steal credit card information and disguise their transactions.

According to experts, web-skimmers were downloaded from domains that were used by criminals during successful phishing attacks. The list of victims of attackers includes dozens of stores, including such large companies as Claire’s, Wongs Jewelers, Focus Camera, Paper Source, Jit Truck Parts, CBD Armor, Microbattery and Realchems.

In order to hide their tracks, criminals break into the sites of legitimate enterprises to upload stolen information to them. Attackers hacked the sites of the Italian modeling agency Lux Model Agency, a bookstore in New Jersey and an old music store in Tehran.

Another Lazarus tactic turned out to be the registration of domain names similar to the names of real stores.

In June 2019, Sansec specialists discovered a skimmer on the website of an American truck parts store that used the hacked website of an Italian model agency to collect payment data. The implemented customize-gtag.min.js script was encrypted using an obfuscator written in Javascript. The code contained the line WTJ4cFpXNTBWRzlyWlc0OQ ==, which is used as the HTTP GET parameter to send the stolen payload to the hacked site.

The malware was removed within 24 hours after the download, but a week later the malware appeared again on the website page of the same store. This time, it used a bookstore in New Jersey to steal credit card information.

In February and March 2020, several domain names similar to popular consumer brands were registered (PAPERS0URCE.COM, FOCUSCAMERE.COM and CLAIRES-ASSETS.COM). Subsequently, experts found that the online stores of the three respective brands were compromised and infected with malware to collect payment information.

In all three cases, the same infrastructure was used, as well as a certain piece of code that experts had never seen before.

Researchers acknowledge that these attacks may be the work of other criminals, but the likelihood of simultaneous control of the same hacked websites is unlikely. One reason is that attackers usually use the victim for personal purposes and prevent other criminals from accessing exploited vulnerabilities.
Top Bottom