fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

North Korean Hackers Adapt Web Skimming For Stealing Bitcoin

North Korean Hackers Adapt Web Skimming For Stealing Bitcoin

Hackers linked with the North Korean government applied the web skimming technique to steal cryptocurrency in a previously undocumented campaign that started early last year, researchers say.

The attacks compromised customers of at least three online stores and relied on infrastructure used for web skimming activities and attributed in the past to Lazarus APT, also known as Hidden Cobra.

Targeting cryptocurrency-friendly stores

In research published last year, Dutch cyber-security company Sansec exposed Lazarus operations that had been going since 2019 to capture payment card data from online shoppers at large retailers in the U.S. and Europe.

The malicious JavaScript code (also referred to as JS-sniffer or web skimmer) used in those attacks collected the payment card details that customers entered on the checkout page.

One of the campaigns, tracked as “clientToken=” because of a string hidden in the code, started in May 2019. The ID of the campaign and the JS-sniffer used in the attacks point to Lazarus activity aimed at stealing cryptocurrency.

An investigation from researchers at Group-IB cybersecurity company that started from Sansec’s discovery revealed that the North Korean hackers in 2020 also attacked online shops that accepted payments in cryptocurrency.

The attackers modified the malicious JavaScript from the “clientToken=” campaign so that it replaced the store’s Bitcoin address with one they controlled. This way, online shoppers’ money would end up in the attacker’s wallet.

Lazarus BTC Changer source code snippet
Lazarus BTC Changer source code snippet

Also Read: Compliance Course Singapore: Spotlight On The 3 Offerings

Reusing infrastructure and tools

Referring to the malicious script as Lazarus BTC Changer, Group-IB researchers say that it had the same names of functions as the skimmer used in the “clientToken=” campaign.

According to the research, the attackers started using the modified script in late February 2020 and used the same infrastructure that served previous web skimming activity. One such website was luxmodelagency[.]com.

Group-IB says that they found two compromised websites that loaded Lazarus BTC Changer, which had also been infected during the original “clientToken=” campaign described by Sansec: Realchems and Wongs Jewellers.

Of the two, though, only Realchems accepted payment in cryptocurrency. The researchers believe that in the case of Wongs Jewellers the threat actor had added the malicious script in error.

At one point, Lazarus BTC Changer was also present at a third victim, an Italian luxury clothes shop but at the time of the analysis the script had been removed from the website, the researchers say.

“Like all traditional JS-sniffers, Lazarus BTC Changer detects when users are on the checkout page of an infected website, but instead of collecting bank card details, it replaces the BTC or ETH address owned by the shop with an address used by the hackers” – Group-IB

The actor made some changes to the technique in late March 2020, when they added a fake payment form in the script that opened in an iframe element on the page.

What this achieved was that the store’s BTC wallet no longer had to be replaced and the customer would send the cryptocurrency directly to the threat actor’s address.

Lazarus BTC Changer fake pay form
Lazarus BTC Changer fake pay form

The researchers say that the same form was used for all targets, even if it appears tailored for one victim, Realchems. The actor then used the SingleFile browser extension to save it.

Looking closer at the code, Group-IB found that it had been saved discovered another hint pointing to a Korean actor: the Korean text for Greenwich Mean Time in a comment created by SingleFiles when saving a web page, suggesting the use of a system with Korean locale.

Small campaign suggests a test run

Despite the campaign starting early last year, it appears that the actor did not make much money. A set of four cryptocurrency addresses extracted from the malicious script indicate a profit.

  • 1Gf8U7UQEJvMXW5k3jtgFATWUmQXVyHkJt
  • 1MQC6C4FVX8RhmWESWsazEb5dyDBhxH9he
  • 1DjyE7WUCz9DLabw5EWAuJVpUzXfN4evta
  • 0x460ab1c34e4388704c5e56e18D904Ed117D077CC

However, only the first two Bitcoin wallets were active during the Lazarus BTC Changer campaign. The third Bitcoin address had only one transaction from January 7 and the Ethereum wallet had been active since July 2019 and could have served other operations.

Based on the transactions, though, Group-IB was able to determine that at the time of withdrawing the cryptocurrency the attackers transferred less than one Bitcoin, which was worth close to $8,500.

The researchers tracked all outgoing transactions from the BTC addresses found in Lazarus BTC Changer samples and found that they all went to a single address.

Previous activity connected to attacker’s addresses suggests that they used the payment service provider CoinPayments, which integrates with online shops and payment gateways for cryptocurrency support.

If CoinPayments was indeed used by this threat actor to transfer funds to other cryptocurrency addresses, the company’s Know Your Customer (KYC) policy could help identify whoever carried out the attacks, at least in theory.

It should be noted that there are methods and services that cybercriminals can use to hide their identity despite KYC policies.

Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes

The small scale of the campaign makes researchers believe that this was just a test run for a new set of tools and tactics that could be used on larger targets at a later time.

Based on the evidence revealed through Sansec research and its own, Group-IB attributes these attacks to the North Korean group of hackers with a high level of confidence.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us