Notorious cybercrime group FIN7 appears to be back at work about a year after the FBI arrested three of its members, which dealt a major blow to the group’s activities.
Between 2015 and the arrests in August 2018, FIN7 was responsible for a very advanced malware campaign that hit 100 companies in the hospitality industry, according to the FBI. Among the names that were publicly disclosed: Chipotle Mexican Grill (CMG), Chili’s (EAT), Arby’s, Red Robin (RRGB), Sonic, and Jason’s Deli.
FIN7 had been previously linked to data heists at Trump Hotels, Whole Foods (AMZN), Saks Fifth Ave and Lord & Taylor (HBAYF).
The group steals credit card data from point-of-sale terminals and other means. The data is then sold on the dark web, the internet’s black market. The cards are then used, costing financial institutions millions of dollars.
This week, cybersecurity group FireEye discovered a new piece of very advanced malware that it linked to FIN7, indicating the group has recovered and is back in action — posing a grave danger to retailers, hospitality groups, financial institutions, and consumers leading up to the holiday season.
“The group has definitely recovered,” said Randy Pargman, a former FBI senior computer scientist who left the Bureau a few weeks ago after a 15-year career, who continues cyber defense at Binary Defense. Pargman investigated the group at the FBI’s cyber task force in Seattle. “They seem to be actively recruiting more people to the group and have certainly been carrying out their operations and tools, including very sophisticated malware,” he said.
Most hackers use generic malware they buy on the dark web. And most companies of scale have anti-virus software that can detect and deal with these attacks. But FIN7 develops its own malware for its exclusive use, which renders anti-virus software inadequate for defense.
Hacking on an ‘enterprise scale’
FIN7 isn’t just a casual group of hackers in someone’s parents’ basement. The group is as advanced as many Silicon Valley startups, Pargman told Yahoo Finance.
“When FIN7 targets companies, they approach it on an enterprise scale,” he said.
The FBI is fuzzy on FIN7’s exact size, but it’s in the “dozens,” and there are several divisions that execute a specific function, much like a real company. There’s a research and development arm that figures out the best ways to phish and hack, a market research arm that identifies profitable targets for hacks, strategists who focus on tailoring the best approach, and a group that works on how to target and manipulate individual people via social engineering.
A lot of the work happens through phishing, often involving calling an employee of a company and pretending to be a customer. While the group is based in Europe and made up of many eastern Europeans, the American-accent issue isn’t a problem. Scammers on this scale can easily hire another type of dark web service: native English-speakers who will perform a script designed to manipulate the caller.
Once a person is manipulated to install something — which turns out to be malware — on their device without their knowledge, the malware can spread quickly, giving hackers control of more and more computers in the process. Then, that department hands off access to yet another group within FIN7, which finds and extracts the credit card records so FIN7 can sell them.