Following The Money Down A Cybertheft Rabbit Hole

The landscape of cyberfraud – specifically payment card intrusions – is littered with piecemeal attacks, scattershot lone actors and small groups.

In a recent joint report released Wednesday (April 20) by FireEye Threat Intelligence and iSIGHT Partners, titled “Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6,” the duo focused on the activities of that particular group, and tracked everything from initial intrusion to the sale of stolen data in an underground marketplace devoted to such wares.

The simple classification of FIN6 is that it is a cybercriminal group that is focused on stealing payment card data, with a goal of monetizing that data – and that initial attacks from the group last year centered on POS systems in hospitality and retail sectors.

In attacks that year, FIN6 had managed to steal millions of payment card numbers. The numbers were then in turn sold on to a “card shop” used to buy and sell that data. The report noted that at the moment it is “not entirely clear how FIN6 initially compromises its victims.” In some cases, as in the case of a Mandiant investigation into the criminal circle, FIN6 already had valid credentials in place to infiltrate victim networks and then was able to push intrusion activity even further along. One conduit may have been malware known as GRABNEW. The GRABNEW may have been initiated by a separate actor, said the report, and the credentials thus obtained then used by FIN6.

Beyond the genesis of the door opening to this attack, all cyberattacks, said the report, follow an “Attack Lifecycle” – one that spans the compromise to the mission’s completion. In the case of this attack, FIN6 used Microsoft vulnerabilities to compromise user accounts (and those vulnerabilities have since been patched by Microsoft).  Then the group began to push across servers to find access to POS systems. Subsequently, payment card data was stolen and then moved out of the POS system environment.

iSIGHT’s insight showed that the stolen payment card data had been then sold to an underground card shop, with this specific shop advertised throughout several underground and online forums advertised on the Web. This led to the monetization of that stolen data – and this site has been selling FIN6 stolen data for a few years.

The cycle continues with money laundering operations, through the card shops, and where data are loaded onto online carts such as those seen with a typical retail website. The card data is used to buy, say, gift cards or electronics in money laundering activity.

As many as 10 million cards tied to FIN6 breaches have been identified, as noted in the report (and returns accruing to the card users would be several millions of dollars).