“Vendetta Brothers” Are After Your Payment Card Data

If you live in the United States or one of several Nordic countries, your payment card data might be of interest to a duo of cybercriminals that FireEye refers to as the “Vendetta Brothers.”

The pair, FireEye security researchers say, are using various strategies to compromise point-of-sale (PoS) systems and steal payment card information that is subsequently sold on their underground marketplace “Vendetta World.” The two have been observed online using the monikers “1nsider” and “p0s3id0n,” and employ practices commonly seen in legitimate business.

In a new report (PDF), FireEye reveals that the cybercriminals are believed to operate from Spain and Eastern Europe and frequently partner with other cybercriminals for PoS malware delivery or for the provision of skimming hardware to capture payment information.

The Vendetta Brothers use these partnerships to outsource and insulate themselves from tasks such as locating, identifying, and sometimes exploiting target payment systems. Thus, the duo can access a more diverse array of payment systems and can also mitigate risk and potentially frustrate investigators through leveraging recruited proxy partners.

The cybercriminals use a variety of techniques to achieve their nefarious goals, including phishing and the installation of physical skimmers. The gathered payment card information is sold via an e-commerce website, where customers can search for payment cards from specific banks or geographical regions, researchers say. However, the Vendetta Brothers have only around 9,400 cards for sale, which means that their operation is rather small compared to that of other cybercriminal groups.

According to the FireEye report, the payment cards on Vendetta World had more than 2,000 bank identification numbers from 639 banks in 40 countries. The top five countries include the United States (with nearly 5000 cards), Sweden (with over 2000 cards), Norway (with north of 1500 cards), Finland (with close to 250 cards), and Denmark.

Through implementing multiple business practices, the Vendetta Brothers can diversify their sources of payment card data. These practices include outsourcing (they partner with cybercriminals who unilaterally-gained remote access to PoS terminals), purchasing leads (employing spam services to send phishing emails with malicious attachments), and installing physical skimmers with video cameras to capture both payment card data and user’s PIN.

“Observing the Vendetta Brothers’ tactics has revealed a business-like approach to their crime operations that allows them to boost profits through expanded targeting, partnerships and diversification. By keeping various aspects of the scheme separate, the pair’s operations might only be disrupted to the extent to which the discovered partner was involved,” FireEye explains.

The security researchers also explain that, through outsourcing parts of their operation, the Vendetta Brothers bet on the fact that law enforcement investigators are more likely to catch the partner rather than them. Even if they have a small operation, the Vendetta Brothers emulate proven practices from established businesses, which indicates thoughtful planning on how to maximize profit and minimize risk.

Related: Cybercriminals Developing Biometric Skimmers for ATM Attacks

Related: New ATM Malware Allows Attackers to Physically Steal Cards