This article is more than 1 year old
Carders cash out hundreds of millions before USA adopts EMV
Stolen card values on the way down ahead of chip card debut
A hacker group has stolen some 10 million credit cards, putting itself in a position to score US$400 million (£279 million, A$516 million) by infecting 2000 payment terminals with the Trinity point of sales malware.
Security firm FireEye and subsidiaries iSIGHT Partners and Mandiant examined the "Fin6" group last year after it was found plundering millions of cards.
The first two firms now say the cards stolen from hospitality and retails firms have earned the hacking group hundreds of millions of dollars with each card sold for an average of US$21 on secret popular carder shops.
The criminals have sold filched cards since 2014 and have ramped up the cash-out as the value of the stolen cards drops as the United States adopts EMV credit card security.
Findings are detailed in the report Follow the Money [PDF] which details all aspects of the breach method other than the point of initial compromise.
The crooks use valid user credentials to gain access, after which modules of the popular Metasploit framework are used to maintain a foothold and set up links with command and control servers to execute shellcode.
From there the group followed the advanced-persistent threat cookbook and used various tools to gain privilege escalation and pivot to sensitive areas of the targeted network.
Tools exploited three dusty patched vulnerabilities (CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398) that turn local users into kernel-level gods, while the PsExec Metasploit module allows the Active Directory database (ntds.dit) to be swiped and password hashes cracked online.
In one day, so write the researchers, Fin6 flayed 900 SQL servers gaining intel information to support further hacking operations.
The exfiltration of point of sales data once collected through Trinity took a few more steps, as follows:
"FIN6 used a script to systematically iterate through a list of compromised POS systems, copying the harvested track data files to a numbered log file before removing the original data files. They then compressed the log files into a ZIP archive and moved the archive through the environment to an intermediary system and then to a staging system.
From the staging system, they then copied the stolen data to external command and control servers under their control using the FTP command line utility."
The hacking group is the latest carding group in a line that tracks sequentially back to the original FIN1 gang. ®