FIN6 APT targeting individuals via LinkedIn in a bid to get web skimmers onto e-commerce sites

IBM X-Force warns of new spear-phishing attacks by APT it has tracked since 2015

Hackers likely linked with threat group ITG08 (or FIN6) are targeting ecommerce websites to steal payment card data from incautious victims.

That's according to the security researchers at IBM's X-Force Incident Response and Intelligence Services (IRIS), who revealed that they recently observed the members of FIN6 group injecting malicious card-skimming code into the online checkout pages of the compromised retailer websites.

FIN6 is a cybercrime group active since 2015 and known for aggressively attacking point of sale (PoS) systems, especially in the retail and hospitability sectors, in the US and Europe. According to security researchers, the group steals payment card data and sells it on underground marketplaces for money.

The researchers at IRIS recently analysed the adversarial tactics, techniques and procedures (TTPs) of FIN6 and concluded that the group is now actively attacking MNCs. It is specifically using LinkedIn messaging and spear phishing emails (advertising fake job ads) to target employees handpicked by the group members

To break into an organisation's network, the attackers targeted employees via LinkedIn messaging and email.

In one particular instance, an attacker sent an email to a victim and convinced them to follow a Google Drive link that supposedly contained an appealing job advert.

The URL eventually took the victim to a compromised domain, which downloaded a ZIP file containing a Windows Script File (WSF) onto the target's system. The file initiated the infection process of the More_eggs malware (also known as SpicyOmelette and Terra Loader), which finally established a connection to the attacker's command-and-control servers.

From there, the gang installed the card-skimmer and, after establishing a foothold on the network, they also used PowerShell and WMI techniques to get more details about the network.

According to researchers, More_eggs malware is available on the dark web from an underground malware-as-a-service provider, and is used by hackers to create and strengthen their foothold on compromised networks.

Past attacks by FIN6 using the More_eggs malware were last reported in February this year.

Web or online skimming is a form of card fraud, also called 'Magecart', whereby the Javascript on a payment page on a website is compromised by injecting malware onto the page to surreptitiously steal payment information.

Last month, ecommerce companies were warned of a surge in activity by web-skimming Magecart gangs, targeting organisations' online payments systems. Cyber security firm Malwarebytes said that it blocked 65,000 web-skimming Magecart attacks in July alone.

Earlier in May, researchers warned that they had discovered a new rogue iFrame phishing technique being used by hackers to steal credit card data.

In March, security researchers also discovered a critical vulnerability in the Magento e-commerce platform that left up to 300,000 websites at risk of card-skimming attacks.