Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Feds Announce Arrests of 3 'FIN7' Cybercrime Gang Members

Gang Tied to 15 Million Stolen Payment Cards, $1 Billion in Losses
Feds Announce Arrests of 3 'FIN7' Cybercrime Gang Members
Arby's fast food restaurants were one of many chains hit by the FIN7 gang, which stole payment card data. (Photo: Arby's)

Three Ukrainian men who were allegedly part of one of the world's most prolific financial hacking gangs have been arrested, the U.S. Department of Justice said on Wednesday as it unsealed indictments against each of the suspects.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The men were allegedly high-level members of FIN7, a group also referred to as Carbanak or Navigator, which has been tied to the theft of more than 15 million payment card records from U.S. businesses and $1 billion in losses.

Using malware, the group allegedly extracted payment card details from hospitality businesses, casinos and restaurant chains including Arby's, Chili's, Chipotle Mexican Grill, Jason's Deli, Red Robin Gourmet Burgers, Sonic Drive-In and Taco John's. The payment card details were then sold online for fraudulent purposes.

"FIN7 is one of the most sophisticated and aggressive malware schemes in recent times, consisting of dozens of talented hackers located overseas," the Justice Department says in a fact sheet.

The scale of FIN7's operations has been significant. In the U.S. alone, FIN7 allegedly stole "more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations," the Justice Department says.

Many businesses have sought to better secure their payment card systems and networks in light of large intrusions in recent years affecting T.J. Maxx, Target, Home Depot and many others. But their efforts have not been fully effective. Indeed, the U.S. continues to suffer a payment card breach epidemic centered not just on restaurants, but also retailers and hotels. The problem is compounded by the ease of procuring card-scraping malware, designed to infect POS systems, as well as backdoor exploitation tools - such as the Carbanak backdoor - from underground cybercrime forums.

FIN7's payment card hacking touched every state except three. (Source: U.S. Department of Justice)

The three suspects are Dmytro Fedorov, 44; Fedir Hladyr, 33; and Andrii Kolpakov, 30. Each faces 26 separate felony counts, ranging from identity theft to conspiracy to commit computer hacking.

Fedorov was arrested in January in Bielsko-Biala, Poland, and is awaiting extradition to the U.S. Hladyr, who was arrested in Dresden, Germany, in January, is now in Seattle. His trial in U.S. District Court in Seattle is due to begin Oct. 22. The U.S. is seeking the extradition of Kolpakov, who was arrested in January in Lepe, Spain.

Spanish National Police and the EU's law enforcement intelligence agency, Europol, had announced in March that a Ukrainian Carbanak suspect, named only as "Denis K.," was arrested in Alicante, Spain. It's not clear if Denis K. might be Kolpakov; Europol didn't immediately respond to a request for comment (see Spain Busts Alleged Kingpin Behind Prolific Malware).

Spear-Phishing Experts

FIN7 is believed to have dozens of members operating out of Eastern Europe. But the Justice Department says the three arrested men were part of its leadership.

The group regularly used spear phishing attacks to target victims. The attackers crafted what appeared to be legitimate looking messages referring to, for example, a catering order or reservation details. Those messages often contained malicious attachments, which, if opened, infected the organization's computers.

An example of a spear phishing email sent by FIN7. (Source: Justice Department)

To make the fake emails seem more legitimate, the attackers would often follow up with a call to the targeted company, the Justice Department says.

"The caller often directed the employee to the recently sent phishing email to further entice the employee to open the attached file and activate the malware," prosecutors say.

The group was meticulous about obfuscating and testing its malware, which was often loaded into Microsoft Word documents, according to the security company FireEye, which issued a report into the group's operations on Wednesday, following the Justice Department's announcement.

"FIN7 is referred to by many vendors as 'Carbanak Group,' although we do not equate all usage of the Carbanak backdoor with FIN7," FireEye says."Throughout 2017, FIN7 was observed creating novel obfuscation methods, and in some cases modifying the methods on a daily basis while launching attacks targeting multiple victims. The threat group regularly tested malicious DOC, DOCX, and RTF phishing documents against public repositories to check static detection engine coverage."

FIN7 also digitally signed its malware, which can increase the chances security tools will view an executable file as legitimate.

The four steps to a compromise by the FIN7 cybercrime gang (Source: Justice Department)

"By digitally signing their phishing documents, backdoors and later stage tools, FIN7 was able to bypass many security controls that may limit execution of macros from Office documents and restrict execution of unsigned binaries on trusted systems," FireEye says.

The initial malware created a foothold, and then FIN7 loaded other tools, sometimes including the Carbanak backdoor, onto systems, the Justice Department says. Employees of victim organizations were often monitored via screenshots and video capture by malware, which allowed the attackers to steal credentials.

"FIN7 then used its unauthorized access to the victim's computer system to locate and extract various information and property of value, such as financial information and caches of customer payment card data," FireEye says.

Bogus Company

In a somewhat surprising turn, the Justice Department says that the FIN7 also created a fake company called Combi Security.

The company, which was supposedly based in Israel and Russia, purported to be a penetration testing and security consultancy. Prosecutors believe it was an attempt "to add a thin veil of legitimacy to the hacking scheme."

"Ironically, the sham company's website listed multiple U.S. victims among its purported clients," the Justice Department says.

The indictment against Dmytro Fedorov.

Combi Security "recruited individuals with computer programming skills, falsely claiming that the prospective employees would be engaged in legitimate pen testing of client computer networks," according to Fedorov's indictment. "In trust and in fact, as defendant and his FIN7 conspirators well knew, Combi Security was a front company used to hire and deploy hackers who were given tasks in furtherance of the FIN7 conspiracy."

FireEye says it has now found job advertisements for Combi Security on Russian, Ukrainian and Uzbek job recruitment sites and has identified individuals who may have worked for it. FIN7's boldness in trying to obscure financially motivated cybercrime for legitimate security engagements is "notable," the company says.

"Due to the seeming legitimacy of the recruitment postings, some individuals may have been unaware of illicit nature of their work," FireEye says. "The apparent success of Combi Security in recruiting unsuspecting individuals in this manner may lead to more of this type of technical recruitment by cyber criminals in the future."

Executive Editor Mathew Schwartz also contributed to this story.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.