Researchers believe North Korean state-sponsored threat actors have begun targeting e-commerce sites to skim or intercept shoppers' credit card details.
Security vendor Sansec said it had discovered links between recent skimming operations, and previously documented North Korean HIDDEN COBRA hacking attacks that the United States government has tracked and warned about in the past few years.
The attacks target vulnerable Adobe Magento e-commerce shopping cart installations, adding malicious scripts to the stores' checkout pages that capture customers' keystrokes when credit card details are entered.
Sansec said the HIDDEN COBRA skimming attacks used an Italian model agency and a vintage music store in Tehran, Iran, and a book shop in New Jersey, United States, and hijacked their legitimate sites for criminal activity.
The malicious scripts are obfuscated but descrambling the code and finding links to earlier North Korean hacking campaigns made Sansec believe that the skimming attacks were done by the HIDDEN COBRA group.
Several common malware domains featuring hijacked sites were found by Sansec, which suggested that HIDDEN COBRA is now actively moving beyond cryptocurrency theft and attacks on banks.
Sansec thinks the North Koreans have been engaged in what the security vendor says is large scale digital skimming activity since at least May last year, joining Russian and Indonesian hackers in their plundering campaigns.