Billions stolen as phishing attacks launched over email, phone, and snail mail.
The system administrator of an elite Ukrainian hacking group that stole more than 15 million credit cards and bank account details has been sentenced to a decade in US federal prison.
The Fin7 (also known as Carbanak) hacking group made hundreds of millions of dollars developing and spreading highly-specialised malware capable of siphoning credit and debit card information which was then sold on underground criminal forums.
All told the group stole and sold more than 20 million customer card records from some 6500 point-of-sale terminals.
Ukrainian national Fedir Hladyr, 35, pled guilty to counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.
The hacking group operated a fake penetration testing business, Combi Security, to recruit hackers (including Hladyr according to his plea deal) and conceal illegal activities. Combi Security listed on its website some of Fin7’s victims as its clientele.
Hladyr was responsible for system administration work including securing the hacking group’s communications, managing its server farm, and launching attacks.
Those attacks targeted organisations in the United States along with a smaller undisclosed number of organisations in Australia, the United Kingdom, and France.
Law enforcement arrested Fin7 leadership in 2018 but many members remain at large. Authorities estimate Fin7 had some 70 members organised into distinct teams responsible for malware development, infection spreading, and the composition of phishing messages.
The sent expertly-crafted phishing messages. Fin7, unlike most cyber criminals, crafted well-written phishing emails tailored to a victim’s industry. It sent food orders to restaurants with malware-laden word documents and issued fake but convincing invoices.
The group even followed up phishing emails with phone calls to bolster the legitimacy of their scams.
An arsenal of tools, including the group’s eponymous-named Carbanak malware, would deploy when phishing email attachments were opened.
Fin7 even sent phishing messages through the post with malware contained within USB sticks.
Acting US Attorney Tessa Gorman of the Western District of Washington said the group inflicted billions of dollars in losses.
“Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems,” Gorman said in a statement.
“This defendant (Hladyr) worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.”