Please Put That on His Tab

By Michael Fiorito, MDS

FIN6 is a cybercriminal group known for stealing and monetizing payment card data. They work in a very methodical manner, strategically acquiring bits of data over a period of time to gain access, compromise systems and ultimately sell the data for millions of dollars. This is often done, successfully, through targeted spear phishing campaigns over email. 

In one such attack studied by FireEye, after obtaining access using valid credentials, FIN6 then established backdoors and escalated privileges.

Using tools like Metasploit, Windows Credentials Editor and other public utilities, they harvested administrator credentials and further escalated privileges. According to FireEye forensics, after a beachhead was established, “FIN6 began lateral movement using credentials stolen from various systems on which they gathered usernames and password hashes.”

When the Point of Sale (PoS) systems were located, FIN6 deployed more malware to find and steal payment card information. That data was then exported to external servers.

This information was then auctioned on the black market. In one breach FIN6 advertised almost 20 million cards, mostly from the U.S., and selling on average at $21 each, totaling around $400 million.


In 70% of the cases we respond to, the activity can be traced back to stolen, legitimate credentials.

Nart Villeneuve

Analyst, FireEye

By combining its efforts with iSIGHT Partners, which it acquired in January, FireEye managed to track the group’s activities from the initial intrusion up to the point where they sold the stolen data.


Pulling the plug doesn't have to be your only security solution.

Don’t become part of a rising statistic — ensure your company is armed against a security hack.