We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Operation PoisonedApple: Tracing Credit Card Information Theft to Payment Fraud
Explore how Operation PoisonedApple evolved from basic credit card theft to sophisticated payment fraud, targeting Asian e-commerce with advanced phishing and evasion techniques.
-
Operation PoisonedApple involved a threat actor (Evil Queen/Eberkin) targeting online stores in Korea and Japan since 2009, compromising over 50 stores and exposing 8,000+ credit cards
-
The attackers evolved from simple card theft to sophisticated fraud schemes:
- Creating phishing payment pages identical to major payment gateways
- Exploiting second-hand trading platforms to sell fake Apple products
- Using stolen cards for fraudulent payments at Apple stores
- Monetizing through direct fraud rather than just selling card data
-
Technical attack methods included:
- SQL injection to acquire admin credentials
- Web shell deployment for persistent access
- iFrame injection attacks
- Cloudflare CDN usage to hide real server IPs
- PHP-based phishing pages and exploit tools
-
The threat actor showed strong ties to China through:
- Chinese language resources and tools
- Domain registrations through Chinese ISPs
- Chinese names and phone numbers in registration details
- Use of Chinese hosting services
-
Sophisticated evasion techniques employed:
- Displaying phishing pages only during specific times
- Using session data to control page visibility
- Implementing cookie-based authentication
- Masquerading file names as legitimate payment modules
-
The operation demonstrated deep understanding of Korean payment systems:
- Accounting for additional authentication requirements
- Targeting specific vulnerabilities in local payment processes
- Adapting to regional financial security measures
- Creating region-specific phishing interfaces