How a criminal gang stole information for more than 20 million credit cards

We know that stealing and selling credit card data is big business for criminals, and a new report provides a rare look at the operations of gang FIN6, from attack to sale, on an underground card shop.

One breach linked to the gang was tied to more than 20 million stolen credit cards, mostly from the U.S., selling on average for US$21, according to the FireEye Threat Intelligence report. That adds up to US$400 million in revenue, if the cards sold at full price. That said, some of the cards likely sold at a discounted rate because stolen cards rapidly lose value once they hit the market.

It is unclear how many individuals make up the group, though the sophistication of its operations suggests several participants, said John Miller, director of cybercrime analysis for iSIGHT partners, which was acquired by FireEye in January. Also unclear is where the group is located, though these types of attacks are often initiated from Eastern Europe. The group may well be involved in a variety of different types of fraud, identifying and exploiting any opportunity for profit, he said.

"They are certainly skillful at their role, so when they enter into the network, they are quite adept at escalating privilege, moving around inside of the network to try to locate the data that they are after, which is payment card information," said Nart Villeneuve, principal threat intelligence analyst at FireEye.

The hospitality and retail sectors were the group's primary victims. FIN6 aggressively targeted and compromised point-of-sale (POS) systems to make off with millions of payment card numbers. These operations may be executed by multiple criminal gangs or FIN6 alone.

"This is a good example of the cybercriminal underground and the business relationships among it," said Miller.

The operation involved a three-step process; an individual clicked on an email attachment that triggered the download of malware to establish a foothold; if the attackers find something interesting they start moving around the network to install specialised malware on the POS systems that can extract payment card data from the memory. They then send that data to servers controlled by FIN6, and engage with the people who operate the underground card shops to sell the data to other criminals.

The operators of the underground card shops set up infrastructure in places where it's difficult for law enforcement to crack down, like countries with few resources to tackle cybercrime, or within networks such as Tor, software that enables anonymous communication. They then cycle between different infrastructure in reaction to being taken down or to stay one step ahead of law enforcement.

The more sophisticated operators will have multiple domains active at one time, so if one goes down, their criminal customers can still get to others. They are often located on publicly accessible sites and have intentionally lax security requirements for gaining access.

"Some cybercrime communities would require you to be a vetted criminal before you can enter the community," said Miller. "These shops tend to not go that route in order to be able to advertise to the maximum number of customers."

Stolen credit cards are used for fraudulent transactions. Criminals may use them to buy and resell commodity goods online, such as electronics, or to create clones for in-store purchases in the U.S. where some cards still do not have chips.

That said, the shelf-life of the cards is tied to what criminals in the business call the "validity rate," or how much of the data can be used to commit fraud. There are a number of factors that can impact the validity rate, said Miller. For example, if any part of this criminal syndicate inadvertently calls attention to the stolen data, alerting authorities or the card issuers. Once a breach is discovered, the cards are quickly cancelled, rendering them worthless.

"Once data starts to be sold, it starts to be used for fraud, then the breach becomes public because different financial institutions — entities involved in payment processing — start to be able to pinpoint the common source of the data," said Miller.

A more sophisticated vendor may be able to sell the data more incrementally, mix it in with other information or limit the data they make available publicly. This buys time, even after the fraud is committed, before victims figure out what is going on.

Researchers have identified stolen data from several of FIN6's victims being sold since as far back as 2014, which means that it likely ended up in the hands of fraud operators across the globe, said the report. In each case, the stolen data began appearing on the card shop, also known as a "dump shop," within six months of the start of the breach. The amount of data sold varied based on the breach. Once posted, it was often quickly purchased for exploitation. Similarly, this underground shop sold data on millions of other cards that may be linked to other cybercriminal groups.

It is not yet clear how the operators of the dump shop are linked to FIN6, said Miller. The vendor has sold large amounts of data with various characteristics, so it is possible that the operators maintain relationships with multiple cybercrimnal groups. Members of FIN6 could include some operators of the shop or FIN6 could simply be selling stolen data to those operators for resale.