Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

“FIN6” Cybergang Steals Millions of Cards From PoS Systems

FIN6 Hackers Deployed Malware on Thousands of Retail and Hospitality Point-of-Sale Systems

Researchers have been monitoring the activities of a cybercriminal group that appears to have made a significant amount of money by stealing millions of payment card records and selling them on an underground marketplace.

FIN6 Hackers Deployed Malware on Thousands of Retail and Hospitality Point-of-Sale Systems

Researchers have been monitoring the activities of a cybercriminal group that appears to have made a significant amount of money by stealing millions of payment card records and selling them on an underground marketplace.

The financial threat actor, dubbed “FIN6,” has been observed by FireEye since 2015, when it was spotted compromising the point-of-sale (PoS) systems of organizations in the retail and hospitality sectors. By combining its efforts with iSIGHT Partners, which it acquired in January, FireEye managed to track the group’s activities from the initial intrusion up to the point where they sold the stolen data.

Investigations conducted by FireEye-owned Mandiant revealed (PDF) that the attackers possessed valid credentials for each of the targeted companies’ networks. However, experts have not been able to determine the initial method of compromise due to the lack of forensic evidence.

In one attack, researchers found Grabnew malware (also known as Neverquest, Snifula and Vawtrak) on the victim’s systems. Experts assumed that a different threat group planted Grabnew and used it to capture credentials. Grabnew and the credentials it harvested were later used by the FIN6 group in its operations.

FIN6

Grabnew has been known to be used to download other malware onto infected systems. In November 2015, Proofpoint reported seeing the AbaddonPOS malware on systems infected with Grabnew.

Once it gained access to the targeted organization’s systems using compromised credentials, FIN6 leveraged various Metasploit components to download and execute shellcode, and gain backdoor access to the victim’s network. Various tools and previously known exploits were used by the attackers to escalate their privileges and harvest credentials that would allow them to move laterally in the network.

The cybercriminals deployed a piece of malware dubbed FrameworkPOS (named TRINITY by FireEye) on PoS systems. The threat is designed to capture payment card data from the memory of running processes and save it to a file on the system. The stolen data is copied to an intermediary system, then to a staging system, and ultimately it’s sent to external servers via FTP and public file sharing services.

Advertisement. Scroll to continue reading.

In one case, investigators determined that FIN6 actors deployed the PoS malware on roughly 2,000 systems, allowing them to compromise millions of cards.

iSIGHT Partners discovered that the data stolen by FIN6 has been offered for sale on an underground card shop. Experts found evidence that the cybercrime group had been selling payment card numbers on this website since as far back as 2014.

The card shop in question sold millions of payment cards, including ones stolen by other threat actors, but FIN6 appears to be an important supplier and some of the group’s members could even be running the underground website. Researchers identified cases where over 10 million cards associated with attacks conducted by FIN6 had been offered for sale.

The shop also advertised nearly 20 million cards associated with a FIN6-linked breach. The credit card records, mostly from the United States, were sold for an average of $21, which would result in a profit of up to $400 million. It’s unlikely that all the records were sold at full price, but even a fraction of $400 million means a significant profit for the cybercriminals.

“The story of FIN6 shows how real-world threat actors operate,” the report concludes, “providing a glimpse not only into the technical details of the compromise, but also into the human factor as well; namely, the interactions between di erent criminals or criminal groups, and how it is not just data being bartered or sold in the underground, but also tools, credentials and access.” 

Related: “Multigrain” PoS Malware Exfiltrates Card Data Over DNS

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.