FIN7 Group Involved in Skimming Attacks

Delaware, USA – October 8, 2019 – Well-known groups of financially-motivated cybercriminals not only do not remain aloof from continuing to gain popularity in skimming attacks but in fact, are leaders against the background of young hacking teams. At the end of summer, IBM X-Force IRIS linked Magecart Group 6 to FIN6, showing that the group has not disappeared and is using its vast experience in the new field. This finding allowed the cybersecurity community to suggest that well-known threat actors might be hiding behind the most skilled Magecart groups. Last week, researchers from Malwarebytes and HYAS found a connection between the FIN7 group that had almost disappeared from the radar after the arrest of several key members and one of the advanced skimming groups, Magecart Group 4. During one of the investigations, the researchers discovered that the group not only deployed skimmers on the client-side but probably continues to do the same on the server-side. Attackers use advanced methods to disguise malicious traffic, for example, by registering domain names associated with analytic companies or advertisers. Also, Magecart group 4 has experience in developing and use of banking malware, just like the FIN7 group. After the analysis of server-side skimmer, Tactics, Techniques, and Procedures of the group, and attacks infrastructure, researchers found intersections with past FIN7 campaigns.

The FIN7 group (also known as Anunak, Cobalt Group or Carabank) has been active since at least 2014 attacking financial institutions worldwide. Despite the arrest of ringleaders, the cybercriminals continue and expand their operations stealing payment card data with skimmers. You can use Web Application Security Framework rule pack to uncover attacks on your web servers: