Security researchers have lifted the lid on the lucrative world of financially motivated cybercrime, claiming the ‘FIN6’ group may theoretically have made as much as $400 million from a single POS data heist.
FireEye and iSight Partners combined their threat intelligence efforts to compile the Follow the Money report.
It details how, by targeting various companies mainly in the retail and hospitality sectors, and using classic targeted attack techniques, the group managed to deploy Trinity POS malware on around 2000 systems.
The resulting stolen data, dating back as far as 2014, was found on a single underground card site.
The report continues:
“Our analysis of the data sold through this underground vendor indicates that FIN6’s compromises are highly profitable to the actors involved, potentially resulting in extensive fraud losses. For instance, in one FIN6-linked breach the vendor was advertising nearly than 20 million cards. These cards were predominantly from the United States and selling for an average of $21. So the total return for the shop — if all the data was sold at full price — could have been about $400 million.”
The report goes on to clarify that it’s unlikely FIN6 made the full $400m as buyers want the newest card data possible, which makes laundering stolen cards trickier than stealing them.
“Still, a fraction of $400 million is a significant sum,” it adds.
There’ll be more of an emphasis today on laundering those stolen cards asap – especially in the US where the majority of FIN6’s victims were – given the migration to EMV.
That will make stolen card data very difficult to use in order to clone cards – which is what most US fraudsters are buying it for on underground sites at the moment.
It’s predicted that there will be a shift over to card-not-present – i.e., e-commerce – fraud as a result once the majority of businesses have switched over to EMV.