FireEye has recently uncovered the activities of a highly lethal group of cyber criminals, dubbed FIN6.
In 2015, FireEye Threat Intelligence supported several Mandiant Consulting investigations in the hospitality and retail sectors where FIN6 actors had aggressively targeted and compromised point-of-sale (POS) systems, making off with millions of payment card numbers. These card numbers were later sold on a particular underground “card shop,” potentially earning FIN6 hundreds of millions of dollars.
FireEye Threat Intelligence and iSIGHT Partners recently combined their research to provide a unique and extensive look into the activities of this group. This combined insight has provided unique and extensive visibility into FIN6’s operations, from initial intrusion to the methods used to navigate the victims’ networks to the sale of the stolen payment card data in an underground marketplace.
Stolen data from several of FIN6’s victims have been identified as being sold as far back as 2014. This connection means that data stolen by FIN6 has almost certainly ended up in the hands of fraud operators across the world, as they buy and exploit payment cards from the underground shop. In each case, the stolen data began appearing in the shop within six months of the FIN6 breach. While the amount of data sold through the shop varies by breach, in some cases more than 10 million cards associated with a specific FIN6-linked breach have been identified on the shop. After being posted, much of the stolen card data is quickly purchased for exploitation. Along with the data we have linked to FIN6, this underground shop has sold data from millions of other cards, which may be linked to breaches perpetrated by other threat actors.
The story of FIN6 shows how real-world threat actors operate, providing a glimpse not only into the technical details of the compromise, but also into the human factor as well; namely, the interactions between different criminals or criminal groups, and how it is not just data being bartered or sold in the underground, but also tools, credentials and access. In this case, the combined intelligence from the FireEye, Mandiant and iSIGHT intelligence teams was able to not only identify malicious activity aimed at stealing payment card data, but also provide a detailed window into that activity from compromise through monetisation of the stolen data.
Click below to share this article
