Follow the Money -- An Up-Close Look at the Massive Credit Card Hacking Ring, FIN7

Financial threat actor FIN7 made headlines in August 2018 when a United States District Court indicted three of its members for hacking. The group had carefully targeted its victims, focusing on large-scale theft of payment card data using nation-state-level techniques and a rapid, innovative development cycle. These malicious actors are members of one of the most prolific financial threat groups of this decade, having carefully crafted attacks targeted at more than 100 organizations. FIN7 is referred to by many vendors as “Carbanak Group.”

The threat group is characterized by its persistent targeting and large-scale theft of payment card data from victim systems, but FIN7’s financial operations went beyond stealing credit information. In some instances, when they encountered but could not obtain payment card data from point-of-sale systems secured with end-to-end encryption or point-to-point encryption, FIN7 pivoted to target finance departments within their victim organizations.

FireEye has followed FIN7 since 2015, noting its move from weaponized Microsoft Office macros to keep from being discovered. FIN7 evolved to using phishing lures with hidden shortcut files to infect targets and compromise them. During campaigns that FireEye associates with FIN7, the group targeted victims within the following sectors in the United States and Europe: Restaurants, hospitality, casinos and gaming, energy, finance, high-tech, software, travel, education, construction, retail, telecommunications, government, and business services.

In April 2017, FIN7 sent spear phishing emails to personnel involved with United States Securities and Exchange Commission (SEC) filings at multiple organizations, targeting individuals who would likely have access to material non-public information that FIN7 actors could use to gain a competitive advantage in stock trading.

With its more recent attacks, FIN7 usually deployed point-of-sale malware within targeted organizations. The group sent spear phishing emails and then called the targets, encouraging them to open malware-laden emails and begin the infection process. The result? Well over $1 billion in losses for the victims.

People who purchased anything at over 3,000 affected locations saw their wallets take a hit. FIN7 digitally stole 15 million credit card numbers, and then sold them on the black market for other criminals to use.

FireEye spoke with Nick Carr and Barry Vengerik, two analysts who have tracked FIN7 for years, about who the group is targeting and how, and what might be next for the massive hacking ring in light of the recent arrests of three of its leaders.

FIN7 really seemed to focus on restaurants, hospitality, and casinos and gaming. Why those industries in particular?

Barry Vengerik: These industries are heavily focused on customer service. With the hotels they targeted earlier on, FIN7 would communicate as if they were attempting to book large corporate events, with ballrooms and multiple rooms. That is enticing lure content for anybody that's in charge of booking at those hotels.

Similarly, for restaurants FIN7 used themes of catering or large orders, but also themes of complaints about the restaurant, like, “The food made me sick,” or “I left my bag in your restaurant.” FIN7 really attempted to capitalize on the customer service aspect, as well as targeting specific users within the organization whose regular duties are to open unsolicited attachments—which is in direct contrast to the spear phishing advice we usually give customers. The targeted folks at these organizations were not in a position to avoid interacting with these unsolicited attachments.

What types of payloads did FIN7 use to get into the victim environments?

Barry:  For the first couple years, the group pretty consistently used a Java Script backdoor we call “half-baked” and added new features to it with each victim. Once they established initial access, we saw an interesting grab bag of secondary payloads, including the famous CARBANAK backdoor. It was a mix of a simpler backdoor on the front end that received a lot of active development, and then they quickly pivoted to a lot of different tools and techniques based on the customer environment.

With such a variety of tools and constant changes, does it make it more difficult to find FIN7 in a customer environment? Can you continue to track them through all those changes?

Nick Carr: The FireEye response is focused on protecting our customers from those initial spear phishing emails. At the same time, we did a tremendous number of incident response engagements into FIN7 intrusions, most often at clients who don't have our products. Simply being able to detect what they look like when they're trying to get into the network isn't good enough – it is about detecting some of those methods that Barry mentioned, blending in and looking like good systems admins. It's pretty interesting.

Some FIN7 members were arrested in August. Did you see any changes in the group after the arrests?

Barry: Starting last summer, we saw a new initial vector backdoor called BATELEUR, targeting pretty much the same victim set. It was a different Java Script backdoor but very similar functionally to the backdoor we had seen from FIN7 in the past. We saw traditional FIN7 half-baked backdoor activity slow down and BATELEUR activity ramp up. So, we've actually got pretty high confidence that this is a newer aspect of FIN7. Given the apparent size of the organization behind this, it can become really difficult to identify what is actually controlled by the same organization, or maybe it’s a developer that left and is starting their own gig, or a third party providing infrastructure or malware for this organization.

Do you expect any changes going forward as a result of the indictments against some members of FIN7?

Nick: We see the individuals continuing to operate. As long as there's non-extradition countries where these guys are located, the majority of the activity will continue on.