Sysadmin for FIN7 criminal cracking group gets 10 years in US prison for managing card slurping malware scam

Plus Pwn2Own faces fire and update Chrome immediately


In Brief The former systems administrator for the FIN7 card-slurping gang has been sentenced to 10 years in a US prison.

Fedir Hladyr, 35, pled guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking last year, and on Friday was sentenced for his role in the theft and resale of over than 20 million customer card records from over 6,500 point-of-sale terminals across the US using the malware dubbed Carbanak.

Hladyr set up a front company, Combi Security, to cover his actions as he funneled the purloined data around the criminal underworld. He managed the encrypted comms network the gang used, ran the server farms used to spread and exploit malware, and coordinated individual attacks.

“This criminal organization had more than 70 people organized into business units and teams. Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems,” said acting US Attorney Tessa Gorman of the Western District of Washington.

“This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.”

The Fin7 gang targeted the restaurant, gambling, and hospitality industries for easy POS pickings. Other members of the gang arrested in international operations have received hefty sentences.

Busy week for Chrome, security woes cause update, then upgrade 24 hours later

Barely a day after updating Chrome 89 to deal with a JavaScript engine security flaw, Google upgraded again to version 90.0.4430.72, fixing yet more security issues.

Google didn't give a full account of the security updates in the new build, citing understandable security concerns. But the latest version kills off six high-importance security flaws, as well as a lot of medium and low-level issues. It also defaults to HTTPS URLs and blocks downloads from HTTP sources if there's an HTTPS option.

The US Cybersecurity and Infrastructure Security Agency has advised an update as soon as possible.

Chrome 90 also rolls out the Chocolate Factory's controversial Federated Learning of Cohorts (FloC) ad tracking tool, which has raised hackles in the security industry and elsewhere. Intended to replace third-party cookies, the ad giant's plans aren't getting much love and have been shunned by some in the browser industry.

Pwn2Own contest pays out, but bug collisions cause prize-slicing conflict

While some bug hunters won six figure sums at the annual Pwn2Own hacking competition last week, others were left initially short-changed.

The problem stems from bug collisions, where multiple researchers find the same flaws and a way to exploit them. In the past this has led to partial payouts, depending on how many other flaws were used in the attack. But there was some inconsistency, particularly this year.

On Thursday Alisa Shevchenko managed a win with a Parallels Desktop success and although the organizers acknowledged it was "great work, and we're thrilled she broke ground as the 1st woman to participate as an independent researcher in Pwn2Own history," a bug conflict had been found so she got a 50 per cent payout

Katie Moussouris, founder of Luta Security and founder of the pay Equity Now Foundation, told The Register that she'd acted as a proxy for a partial-victory payout of 60 per cent, and felt that was merited here. While Moussouris did not think this decision was gender based but rather due to poorly constructed rules, the competition's early attempts to shut down discussion weren't a good look.

"She definitely pwned it and should own it; she did it first try. I feel nothing but love for ZDI and Pwn2Own. This is just an evolution."

Trend told The Reg on Monday that this year the contest had "five partial wins, four of which resulted from bug collisions. For all of these partial wins, teams are compensated through the private sale, which they can refuse."

Developers gone wild? Police check out the Cleve for claimed vandalism

Texan software developer Davis Lu, 51, has been indicted in Cleveland after apparently borking the servers of a local startup.

According to the local Department of Justice officials, Lu is charged with one count of damaging protected computers after allegedly going after his employer's servers and running malware. The Feds claim he put in unauthorized code that caused an infinite loop crash, easy to do but since it caused less than $5,000 in damages and hit less than 10 computers, it was apparently ineffective.

"The defendant deleted encrypted volumes, attempted to delete Linux directories and attempted to delete two additional projects," the cops claimed. "Additionally, the company discovered that the defendant had allegedly conducted internet searches on how to escalate privileges, hide processes and delete large folders and/or files."

Seriously folks, don't do this - it's obvious and not worth it. ®


Biting the hand that feeds IT © 1998–2021