The Humdrum Worklife of Cybercriminals

(The Son of Man, by Rene Magritte)

Most people think of hackers as isolated individuals, acting from the privacy of dark basements with only large-screen monitors to keep them company. At worst, they are decentralized organizations, like the hacktivist organization that gained notoriety in the early 2000s, Anonymous. But the playing field has changed significantly in the last decade.

We know that 80% of cyber attacks are being carried out by sophisticated gangs of criminals, and the way they go about their business is similar to the work environment of the very organizations they rob.

Hacker Business FIN7: Constant Evolution

“They’re not the best-trained, best operations security people on the internet, but they are professional. They go to work in the morning and their job is to steal credit card numbers.”

-William Peteroy, CEO of the security firm Icebrg

FIN7 is an organized, malicious entity that has gained notoriety for targeting businesses in retail and finance. They are suspected to be behind the Carbanak attacks against Russian banks in 2014, which caused ATMs to spew money into the streets for FIN7 members to collect. More recently, they are suspected of attacking Point-of-Sale systems, as well. The organization moves methodically and, once a target is identified, probes defenses relentlessly until the mission is accomplished.

How do we know that FIN7 operates like a business?

Only a large, sophisticated, and well-organized operation could achieve their level of adaptiveness. Take a look at just one part of their operation, phishing attacks.

A phishing attack begins with an email sent to a target’s inbox. Within the email, there is a fraudulent link that, if clicked, immediately infects the victim’s computer. Phishing attacks are difficult for large organizations to stop because even if 500 employees successfully identify an attack and delete the email without clicking, one employee can still give away the keys to the castle. All it takes is one click.

FIN7’s preferred method for delivering malicious software is to embed malicious software in RTF and DOCX documents, which it sends to employee email addresses. If an infected document is downloaded, it quickly sets off a chain of commands to silently turn the workstation against the business.

The primary vulnerability of this strategy is discovery by anti-virus software, which typically scans all attachments for malicious use. If the target’s antivirus scans the DOCX file and discovers a threat, the gig is up.

FIN7 invests significant resources to ensure that won’t happen. According to ICEBRG, a security firm that tracks FIN7, the latest update to their software was detected 0/59 attempts for RTF documents and 1/59 attempts for DOCX.

The group is constantly morphing to keep the odds in its favor and to allow its phishing attempts to sneak in under the radar. This requires constant adaptation to cybersecurity professionals, and FIN7 is remarkably efficient in this arena. We have outlined two ways they stay one step ahead of defenders.

Moving to Greener File Types

Last year, FIN7’s bread-and-butter was to use malicious shortcut files (LNK) to gain entry into the target’s system. Not anymore.

As soon as security organizations were able to recognize these files as threats, the organization pivoted. CMD files are used “today.” But when you are dealing with an organization like FIN7, you can be fairly certain that if you know what they are doing, they aren’t doing it anymore.

Staying One Step Ahead of Detection Software

In addition to pivoting on the file types it uses, FIN7 also continues to morph the detection surface. Yesterday, they stored their codebase in a string array variable called “srcTxt.” Today, they obscure that filename by breaking up the codebase into multiple strings, which are far more difficult for security protocols to locate.

These are only two of the most recent, simplest adaptations. But even these need to be thought up, developed, and tested repeatedly against multiple anti-virus software before being implemented in the latest phishing emails. It requires continuous process, coordination, organization, and leadership.

If this doesn’t sound like your business, don’t you wish it did?

How to Prevent Cybercrime in Your Organization

FIN7 only targets large organizations in retail and banking, but they rely heavily on phishing, which can be stopped.

Be sure your antivirus scans all email attachments for malicious use before downloading. And if you receive a message that seems a bit off, even if it is from someone you know, confirm with the person to ensure they actually sent the email.

Above all, make sure the entire business is aware of current cybercriminal capabilities, so they can identify phishing emails and stop would-be hackers.