FireEye discovers Cybercriminals, FIN6

Credit Cards_CPFireEye, discovered a highly lethal group of cybercriminals, dubbed FIN6 and found them to aggressively targeting and compromising point-of-sale (POS) systems, making off with millions of payment card numbers.

Stolen data from several of FIN6’s victims have been identified as being sold as far back as 2014. This connection means that data stolen by FIN6 has almost certainly ended up in the hands of fraud operators across the world, as they buy and exploit payment cards from the underground shop. In each case, the stolen data began appearing in the shop within six months of the FIN6 breach.

While the amount of data sold through the shop varies by breach, in some cases more than 10 million cards associated with a specific FIN6-linked breach have been identified on the shop. After being posted, much of the stolen card data is quickly purchased for exploitation. Along with the data we have linked to FIN6, this underground shop has sold data from millions of other cards, which may be linked to breaches perpetrated by other threat actors.

The combined intelligence from the FireEye, Mandiant and iSIGHT intelligence teams was able to not only identify malicious activity aimed at stealing payment card data, but also provide a detailed window into that activity from compromise through monetization of the stolen data.