Operation PoisonedApple: Tracing Credit Card Information Theft to Payment Fraud

Operation PoisonedApple involved a threat actor (Evil Queen/Eberkin) targeting online stores in Korea and Japan since 2009, compromising over 50 stores and exposing 8,000+ credit cards

The attackers evolved from simple card theft to sophisticated fraud schemes:

• Creating phishing payment pages identical to major payment gateways
• Exploiting second-hand trading platforms to sell fake Apple products
• Using stolen cards for fraudulent payments at Apple stores
• Monetizing through direct fraud rather than just selling card data

Technical attack methods included:

• SQL injection to acquire admin credentials
• Web shell deployment for persistent access
• iFrame injection attacks
• Cloudflare CDN usage to hide real server IPs
• PHP-based phishing pages and exploit tools

The threat actor showed strong ties to China through:

• Chinese language resources and tools
• Domain registrations through Chinese ISPs
• Chinese names and phone numbers in registration details
• Use of Chinese hosting services

Sophisticated evasion techniques employed:

• Displaying phishing pages only during specific times
• Using session data to control page visibility
• Implementing cookie-based authentication
• Masquerading file names as legitimate payment modules

The operation demonstrated deep understanding of Korean payment systems:

• Accounting for additional authentication requirements
• Targeting specific vulnerabilities in local payment processes
• Adapting to regional financial security measures
• Creating region-specific phishing interfaces