The FBI has arrested the alleged three leaders of an international crime syndicate that stole huge numbers of credit card numbers – which were subsequently sold on and used to rack up tens of millions of dollars in spending sprees.
Speaking in Seattle, USA, where the Feds' cybersecurity taskforce is based, agents said the "Fin7" group was responsible for stealing more than 15 million credit card numbers at over 3,000 locations, impacting at least 100 businesses.
The group is alleged to have used phishing attacks, sending emails with attachments that launched a customized form of the Carbanak malware on victims' computers. The group targeted people in charge of catering in three main industries – restaurants, hotels and casinos – and followed up the emails with phonecalls to those individuals, encouraging them to open the attachment, Uncle Sam's agents said.
Once the software nasty was opened and installed, it would seek out credit card details and customers' personal information from payment systems, and siphon them off to the Fin7 gang – which then sold the sensitive data on online marketplaces to crooks to exploit. Infosec biz FireEye has a summary of the malware, here.
The first suspected Fin7 kingpin was arrested back in January in Germany, the authorities said, but that indictment was kept under seal while the FBI continued its investigations. The unnamed individual has since been extradited to the US and will appear in court in Seattle in May.
The subsequent investigation then led to two further arrests: one in Poland and another in Spain. Both are currently in the middle of extradition hearings. The group operated through a front company based in Israel and Russia and operating throughout Eastern Europe.
US Attorney for the Western District of Washington, Annette Hayes, said during a press conference today announcing the arrests that a main goal of the investigation was to make it plain that criminals can no longer rely on the international nature of the internet to get away with their crimes.
"We have taken three key people out," she said. "We have made clear to folks that when they travel abroad and think they are safe, they are not. We are going to find these people and hold them to account. In the sense that they are somehow anonymous and far away and somehow we cannot touch them, we want to send that message that that is wrong."
Even though the estimated cost of the crime group is a drop in the bucket of what a senior director of credit card company Visa, Dan Schott, said is a $600 billion a year global business, he said that this case's importance was that it showed the authorities were capable of fighting back "through cooperation across the private sector."
Stop us if you've heard this one: Russian hacker thrown in US slammer for $59m bank fraudREAD MORE
FBI Special Agent Jay Tabb noted that the case is "the largest, certainly among the top three, criminal computer intrusion cases that the FBI is working right now in terms of loss, number of victims, the global reach, and the size of the organization, the organized crime syndicate doing this."
He noted however that although they believe they have arrested the three leaders of Fin7, there are many more individuals involved and the investigation was ongoing. Asked about the sentences that the three individuals face, Hayes noted that it would depends on individual circumstances but that they were looking at "very long sentences" stretching to "decades."
In terms of limiting cybercrime, both law enforcement and credit card representatives made the same recommendations: keep an eye on all your credit card transactions, report any suspicious ones to your credit card company, and do not open suspicious or unexpected downloads and email attachments. ®