Operation PoisonedApple: Tracing Credit Card Information Theft to Payment Fraud

Explore how Operation PoisonedApple evolved from basic credit card theft to sophisticated payment fraud, targeting Asian e-commerce with advanced phishing and evasion techniques.

Key takeaways
  • Operation PoisonedApple involved a threat actor (Evil Queen/Eberkin) targeting online stores in Korea and Japan since 2009, compromising over 50 stores and exposing 8,000+ credit cards

  • The attackers evolved from simple card theft to sophisticated fraud schemes:

    • Creating phishing payment pages identical to major payment gateways
    • Exploiting second-hand trading platforms to sell fake Apple products
    • Using stolen cards for fraudulent payments at Apple stores
    • Monetizing through direct fraud rather than just selling card data
  • Technical attack methods included:

    • SQL injection to acquire admin credentials
    • Web shell deployment for persistent access
    • iFrame injection attacks
    • Cloudflare CDN usage to hide real server IPs
    • PHP-based phishing pages and exploit tools
  • The threat actor showed strong ties to China through:

    • Chinese language resources and tools
    • Domain registrations through Chinese ISPs
    • Chinese names and phone numbers in registration details
    • Use of Chinese hosting services
  • Sophisticated evasion techniques employed:

    • Displaying phishing pages only during specific times
    • Using session data to control page visibility
    • Implementing cookie-based authentication
    • Masquerading file names as legitimate payment modules
  • The operation demonstrated deep understanding of Korean payment systems:

    • Accounting for additional authentication requirements
    • Targeting specific vulnerabilities in local payment processes
    • Adapting to regional financial security measures
    • Creating region-specific phishing interfaces