Hacking group FIN6 changes tactics and aims at e-commerce websites

Card-skimming code injected into online checkout pages of retailers

Hacking on keyboard

Hackers have been discovered injecting malware into compromised e-commerce websites that steal payment card data from unsuspecting victims.

According to a blog post by security researchers at IBM X-Force Incident Response and Intelligence Services (IRIS), FIN6 (a.k.a. ITG08) is better known for targeting point of sale (PoS) terminals in Europe and the US but lately has changed tactics.

It a new campaign, hackers have been found injecting malicious code into online checkout pages of compromised websites a technique known as online skimming thereby stealing payment card data transmitted to the vendor by unsuspecting customers.

Researchers said that the cyber criminal gang has been actively attacking multinational organisations, targeting specific employees with spear-phishing emails advertising fake job advertisements and repeatedly deploying the More_eggs JScript backdoor malware (aka Terra Loader, SpicyOmelette).

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

They added that this backdoor has been sold on the dark web by an underground malware as a service (MaaS) provider.

The gang are also used common tactics from earlier campaigns, such as Windows Management Instrumentation (WMI) to automate the remote execution of PowerShell scripts, PowerShell commands with base64 encoding, and Metasploit and PowerShell to move laterally and deploy malware.

They have also used Comodo code-signing certificates several times during the course of the campaign.

To gain entry into an organisation's infrastructure, the gang targeted employees via LinkedIn messaging and email, advertising fake jobs.

"In one case, we uncovered evidence indicating that the attacker had established communication with a victim via email and convinced them to click on a Google Drive URL purporting to contain an attractive job advert," researchers said.

"Once clicked, the URL displayed the message, Online preview is not available,' then presented a second URL leading to a compromised or rogue domain, where the victim could download the payload under the guise of a job description."

Advertisement - Article continues below

That URL, in turn, downloaded a ZIP file containing a malicious Windows Script File (WSF) that initiated the infection routine of the More_eggs backdoor.

Once in, hackers then used WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment.

"The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems, subsequently spawning a Meterpreter session and Mimikatz," said researchers.

Mimikatz is a post-exploitation tool that allows attackers to steal credentials.

Advertisement
Advertisement - Article continues below

"Stolen credentials are usually leveraged to facilitate privilege-escalation and further lateral movement through the compromised environment," said researchers.

The hackers then planted backdoors on several other devices to enable the hackers to find more ways into a victim's network.

Advertisement - Article continues below

Researchers said that the gang has been around for four years: "Its attacks are financially motivated, sophisticated and persistent. The group historically has specialized in stealing payment card data from POS machines and has more recently expanded operations to target card-not-present data from online transactions."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/network-internet/web-browser/354614/microsoft-developer-declares-its-time-to-ditch-ie-for-edge
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020