The targets read like a who’s who of a suburban shopping center: Chipotle, Chili’s and Red Robin.
But for the FIN7 collective, thought to be one of the most successful hacking groups of the last decade, it was a lucrative list.
One estimate put their earnings at more than $1 billion. The group is accused of stealing more than 15 million credit cards. Victims are spread across 120 countries worldwide. But for alleged members of the FIN7 group, all future transactions could be declined.
Three members of the group have been arrested and are accused by the Department of Justice of a sophisticated hacking campaign that used brazen phishing tactics and feats of social engineering.
The group’s primary target has been high-transaction businesses in the restaurant, hospitality and gambling industry. The collective’s reach is widespread, breaching computer networks of 47 states and the District of Columbia.
“FIN7 is one of the most sophisticated and aggressive malware schemes in recent times, consisting of dozens of talented hackers located overseas,” the Department of Justice wrote Aug. 1.
The group was one of the most prominent hacking collectives of the decade because of their innovation, Nick Carr, a senior manager at FireEye, told Fifth Domain. He said that their success and reach is comparable to nation-state hacking groups who have significant resources.
But to accomplish their goals, the group relied on a four-step process, according to the Justice Department. These everyday methods underscore how hackers use simple tactics to accomplish often devastating consequences. The arrests also indicate that the Department of Justice is becoming more aggressive in their quest — and ability — to lock up bad actors in cyberspace, especially those living overseas. Reports indicate the three Ukrainian men were detained in Germany, Spain and Poland.
By September 2015, the group began their operations and identified businesses with a high frequency of point-of-sale transactions. Fast-food, restaurants, casinos and hotels were obvious candidates.
After identifying their targets, the FIN7 group then tried to infiltrate these groups’ digital networks. Using information publicly available on the internet, the hackers targeted employees and emails.
A slew of emails that contained malicious emails followed.
“I want to make a takeout order for tomorrow for 11 am,” one email read, according to the Justice Department. “The enclosed file contains the order and my personal info.”
Instead, the order contained customized malware that allowed the group to take over their victims networks and accrue millions of credit card numbers.
In April 2017, FireEye said that the group had “modified their phishing techniques to implement unique infection and persistence mechanisms.”
At times, the group followed up their emails with telephone calls to entice targets to open up the malicious documents.
To add legitimacy to their operations, the Justice Department said that the FIN7 group created a fake security business, Combi Security, to dupe victims. The group pretended to be a penetration testing enterprise based in Russia and Israel. Even potential employees appeared to be fooled into believing the ruse.
Once a target was infected, the FIN7 group’s customized malware that allowed it to take over a network. The group funneled even more malicious software into targets’ computers. The group utilized and adapted the Carbanak malware that allowed them to monitor victim’s computers by taking screenshots or video, according to the Justice Department.
An example of the group’s prowess was its hack on the Emerald Queen Hotel and Casino in Washington. Around August 2016, the group sent at least two phishing emails to employees of the casino. Within a matter of hours, the hotel’s command-and-control server was compromised.
“Through a specially designed control panel, FIN7 could download a wide array of additional malware to the victim computer, remotely send commands and receive data, and move laterally through the company’s network,” the Justice Department said.
One of the group’s main targets were the point-of-sale systems that contained customer data and credit cards numbers. Each swipe of the credit card was a target.
As the final step, the Justice Department alleges the group would sell the stolen credit card numbers online.
Now that three members of the FIN7 group have been arrested, the collective’s future is in doubt.
FireEye wrote that parts of the group would probably continue their campaign, although they are likely to change their tactics.
“Although we expect activity to continue, it is extremely common for threat actors to either modify their (tactics) or temporarily halt operations following significant developments such as arrests of high-level members.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.