FIN6 Cyber-crime Ring Steals Millions of Credit Cards

By Sean Michael Kerner  |  Posted 2016-04-22 Print this article Print
credit card theft

A FireEye report discloses the activities of a financial hacking group that could be responsible for hundreds of millions of dollars in fraud.

Modern cyber-crime is often conducted by well-organized groups, with sophisticated tactics and the potential to perpetrate fraud at scale. Security firm FireEye issued a new report on April 20 detailing the operations of one such financial cyber-crime group, which it dubbed FIN6.

"The report talks through how the FIN6 activity fits into broader e-crime activity and underground marketplaces where malicious actors buy and sell resources," John Miller, director of ThreatScape Cyber Crime in iSIGHT Partners, a FireEye company, told eWEEK. "A lot of crimeware infections that many organizations would normally just dismiss as a nuisance can actually lead to very damaging exploitation."

The full scope of how damaging the exploitation can be is discussed in the report in the context of one particular campaign executed by FIN6 in which approximately 20 million credit cards were compromised. FireEye estimates that the market value of the stolen card data could potentially have been $400 million.

"We found in one breach that we linked to FIN6 there were about 20 million cards sold, primarily from the U.S., and the data was selling for approximately $21 a card at the time," Miller said. "So if all the cards were sold for $21 a card, that would have been a return of over $400 million."

That said, Miller noted that not all cards are sold for the same price, as the value of compromised cards change over time. Additionally, those who buy compromised credit card data tend to pick and choose which cards they want to acquire, and likely wouldn't buy all 20 million. Beyond the revenue generated from the stolen cards, Miller said there is still all the actual fraud that attackers could generate from the compromised cards.

"Criminals who purchase the compromised cards would obviously want to get more out of the data than what they paid for it," he said. "That's the value of purchasing the data in the first place."

It's a large effort to correlate fraud across multiple clusters of malicious activity, but that's what FireEye has attempted to do for FIN6, according to Nart Villeneuve, principal threat intelligence analyst at FireEye. FIN6 victims fall in the retail and hospitality sectors, he added.

"FireEye Mandiant goes on investigations, and that provides a lot of detailed information on what attackers might do in a post-compromise situation," Villeneuve said. "At the same time, FireEye is digging through data from FireEye sensors, trying to build out information."

With iSight, which FireEye acquired for $275 million in January, Villeneuve noted that even more visibility is available to FireEye on what is happening on malicious underground networks.

The attack methodology used by FIN6 involves multiple layers, and it often begins with a phishing campaign. Villeneuve explained that FIN6 will use the phishing activity to first get a foothold in a network. Once in a network, FIN6 has multiple tools to move laterally, find information and establish backdoor access to steal data.

Attackers will send out phishing emails with different lures with documents that include malicious macros that when run will download a malware executable, he said. From an actual vulnerability perspective, the FIN6 group is making use of older issues including CVE-2013-3660, CVE-2011-2005 and CVE-2010-4398 that have already been patched by Microsoft. Those vulnerabilities are used for privilege escalation and are used once attackers already have a foothold in the network.

While it's always a good idea to patch systems and avoid clicking on attachments from unknown sources, Villeneuve suggests additional best practices for limiting risks from groups like FIN6, including the use of network segmentation and encryption.

"You should ensure that to the maximum amount possible, all data that is handled on the network is encrypted," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel