Summary
Threat actors aligning to the FIN7 hacking group have maintained a multi-year, large-scale hacking campaign that compromised tens of millions of consumer debit and credit cards. The campaign, operating since 2015, has damaged banks, hospitality entities, card companies, and direct consumers more than an estimated $1,000,000,000 USD by targeting numerous entities in the restaurant, gaming, and hospitality industries.
In total, the campaign resulted in the theft of more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations across the United States, United Kingdom, Australia, and France. News of the campaign comes as a Ukrainian citizen was sentenced by the United States Attorney’s Western District of Washington Office for his criminal association with FIN7.
The Ukrainian citizen sentenced by the United States Attorney’s Western District of Washington Office, Denys Iarmak, is now serving five years in prison for his role as a penetration tester for FIN7. Iarmak is the third FIN7 member to be sentenced in the United States.
TTPs
The FIN7 campaign utilizes regular phishing tactics to spread malware to a variety of hospitality organizations, using the malware to gain administrative access and control their system to filter out credit card information. In emails, the group masquerades as legitimate service providers or business associates, depending on the specific target type, asking the target to activate a specifically crafted file.
The group would also utilize telephone calls intended to further legitimize their emails and convince targets to activate the file. Once a file attached to the fraudulent email was activated, FIN7 actors would use an adapted version of the Carbanak malware to access and steal payment card data for the business’s customers. Since the inception of the campaign, many of the stolen payment card numbers have been offered for sale through online underground marketplaces.
Analysis
FIN7 is a financially motivated cybercriminal group with operations based primarily in Russia and Eastern Europe. Over the past four months, the group has targeted multiple organizations in the retail and hospitality sectors. In addition to stealing card information, the group is known to offer a ransomware-as-a-service (RaaS) model. The group uses sophisticated tactics, is well-resourced, and is prolific in activity. Given the sophisticated nature of FIN7, their recent focus of attacks on the retail and hospitality organizations, RH-ISAC recommends that members maintain awareness of the group’s ongoing activity and ensure they are proactively ingesting available threat intelligence.