Security Experts:

"FIN6" Cybergang Steals Millions of Cards From PoS Systems

FIN6 Hackers Deployed Malware on Thousands of Retail and Hospitality Point-of-Sale Systems

Researchers have been monitoring the activities of a cybercriminal group that appears to have made a significant amount of money by stealing millions of payment card records and selling them on an underground marketplace.

The financial threat actor, dubbed “FIN6,” has been observed by FireEye since 2015, when it was spotted compromising the point-of-sale (PoS) systems of organizations in the retail and hospitality sectors. By combining its efforts with iSIGHT Partners, which it acquired in January, FireEye managed to track the group’s activities from the initial intrusion up to the point where they sold the stolen data.

Investigations conducted by FireEye-owned Mandiant revealed (PDF) that the attackers possessed valid credentials for each of the targeted companies’ networks. However, experts have not been able to determine the initial method of compromise due to the lack of forensic evidence.

In one attack, researchers found Grabnew malware (also known as Neverquest, Snifula and Vawtrak) on the victim’s systems. Experts assumed that a different threat group planted Grabnew and used it to capture credentials. Grabnew and the credentials it harvested were later used by the FIN6 group in its operations.


Grabnew has been known to be used to download other malware onto infected systems. In November 2015, Proofpoint reported seeing the AbaddonPOS malware on systems infected with Grabnew.

Once it gained access to the targeted organization’s systems using compromised credentials, FIN6 leveraged various Metasploit components to download and execute shellcode, and gain backdoor access to the victim’s network. Various tools and previously known exploits were used by the attackers to escalate their privileges and harvest credentials that would allow them to move laterally in the network.

The cybercriminals deployed a piece of malware dubbed FrameworkPOS (named TRINITY by FireEye) on PoS systems. The threat is designed to capture payment card data from the memory of running processes and save it to a file on the system. The stolen data is copied to an intermediary system, then to a staging system, and ultimately it’s sent to external servers via FTP and public file sharing services.

In one case, investigators determined that FIN6 actors deployed the PoS malware on roughly 2,000 systems, allowing them to compromise millions of cards.

iSIGHT Partners discovered that the data stolen by FIN6 has been offered for sale on an underground card shop. Experts found evidence that the cybercrime group had been selling payment card numbers on this website since as far back as 2014.

The card shop in question sold millions of payment cards, including ones stolen by other threat actors, but FIN6 appears to be an important supplier and some of the group’s members could even be running the underground website. Researchers identified cases where over 10 million cards associated with attacks conducted by FIN6 had been offered for sale.

The shop also advertised nearly 20 million cards associated with a FIN6-linked breach. The credit card records, mostly from the United States, were sold for an average of $21, which would result in a profit of up to $400 million. It’s unlikely that all the records were sold at full price, but even a fraction of $400 million means a significant profit for the cybercriminals.

"The story of FIN6 shows how real-world threat actors operate," the report concludes, "providing a glimpse not only into the technical details of the compromise, but also into the human factor as well; namely, the interactions between di erent criminals or criminal groups, and how it is not just data being bartered or sold in the underground, but also tools, credentials and access." 

Related: "Multigrain" PoS Malware Exfiltrates Card Data Over DNS

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.