How a criminal gang stole information for more than 20 million credit cards
The attackers obtained information by sending an email attachment that triggered the download of malware when clicked, and then installing other malware on point-of-sale systems to extract payment data
We know that stealing and selling credit card data is big business for criminals, and a new report provides a rare look at the operations of gang FIN6, from attack to sale, on an underground card shop.
One breach linked to the gang was tied to more than 20 million stolen credit cards, mostly from the U.S., selling on average for US$21, according to the FireEye Threat Intelligence report. That adds up to US$400 million in revenue, if the cards sold at full price. That said, some of the cards likely sold at a discounted rate because stolen cards rapidly lose value once they hit the market.
It is unclear how many individuals make up the group, though the sophistication of its operations suggests several participants, said John Miller, director of cybercrime analysis for iSIGHT partners, which was acquired by FireEye in January. Also unclear is where the group is located, though these types of attacks are often initiated from Eastern Europe. The group may well be involved in a variety of different types of fraud, identifying and exploiting any opportunity for profit, he said.
"They are certainly skillful at their role, so when they enter into the network, they are quite adept at escalating privilege, moving around inside of the network to try to locate the data that they are after, which is payment card information," said Nart Villeneuve, principal threat intelligence analyst at FireEye.
The hospitality and retail sectors were the group's primary victims. FIN6 aggressively targeted and compromised point-of-sale (POS) systems to make off with millions of payment card numbers. These operations may be executed by multiple criminal gangs or FIN6 alone.
"This is a good example of the cybercriminal underground and the business relationships among it," said Miller.
The operation involved a three-step process; an individual clicked on an email attachment that triggered the download of malware to establish a foothold; if the attackers find something interesting they start moving around the network to install specialised malware on the POS systems that can extract payment card data from the memory. They then send that data to servers controlled by FIN6, and engage with the people who operate the underground card shops to sell the data to other criminals.