{ "id": "5b6a9de5-1e1c-43f9-b6ef-9ee34e8d1c69", "created_at": "2026-04-06T00:12:52.09553Z", "updated_at": "2026-04-10T13:12:52.769481Z", "deleted_at": null, "sha1_hash": "afc4a4ef39388a8e16eeb82b4119890179f83032", "title": "PoS Attacks Net Crooks 20 Million Stolen Bank Cards", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35601, "plain_text": "PoS Attacks Net Crooks 20 Million Stolen Bank Cards\r\nBy Tom Spring\r\nPublished: 2016-04-21 · Archived: 2026-04-05 18:03:40 UTC\r\nA report released Thursday shines a bright light on point-of-sales system attack targeting hospitality and retail\r\nbusinesses that could have earned cyber crooks a $400 million payday.\r\nIn a storyline that rivals an episode of The Sopranos, researchers at FireEye documented the heist of bank card\r\ndata from 20 million individuals that involved a complex web of crooks that may have netted hackers more\r\nthan $100 million since 2014.\r\nIn conjunction with recently acquired Isight Partners, FireEye released a report Thursday that shines a bright light\r\non point-of-sale system attacks targeting hospitality and retail businesses. The attacks, outlined in a report “Follow\r\nthe Money,” began in 2014 and are ongoing by a group FireEye is calling FIN6.\r\nWhat is unique about the report is that FireEye’s research goes beyond the technical, such as attack vectors and\r\nexploits used in PoS attacks. Instead, the report reveals the often undocumented way criminals work together to\r\npenetrate a network, install malware, plant shellcode, steal bank card data and sell it on the black market.\r\nFireEye said, PoS systems are increasingly being targeted. That’s because as more U.S. companies snuff out point\r\nof sale malware by deploying chip-and-PIN bankcard technology, attackers are rushing to exploit existing\r\nmagnetic strip card systems still vulnerable to malware.\r\nFIN6, FireEye said, is tied to more than 20 million stolen credit cards. In the course of its investigation, FireEye\r\nobserved the cards showing up on an underground marketplace being sold for $21 a card – potentially delivering a\r\n$400 million payday.\r\nResearchers say that FIN6 most likely initially worked with a group that offered malware as a service to\r\nessentially shop for PoS victims. Initial infections were of random computers via indiscriminate spam campaigns\r\nthat included malicious Word macros.\r\nFireEye identified Grabnew (also known as Vawtrek and Neverquest) as the primary malware planted on\r\ncomputers and used to capture credentials on infected systems. Those credentials, FireEye suspects, were then\r\ncross referenced with previously stolen data supplied by other third parties to help identify optimum PoS targets.\r\n“FIN6’s use of Grabnew, or credentials collected by Grabnew, is not altogether surprising and possibly points to a\r\ncybercrime support ecosystem that opens doors to threat actors capable of lateral movement and more damaging\r\nactivities,” wrote FireEye.\r\nAfter gaining access to systems, FIN6 used a Metasploit PowerShell module to download and execute shellcode to\r\nset up a local listener that would execute shellcode received over a specific port, according the FireEye. FIN6 then\r\nused downloaders Hardtack and Shipbread to embolden its attack and establish backdoor access to compromised\r\nhttps://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/\r\nPage 1 of 2\n\nenvironment. Both tools, according researchers, were configured to connect to remote command and control\r\nservers giving attackers remote control of compromised systems, according to FireEye.\r\nAfter FIN6 cyber criminals have penetrated computers tied to PoS systems they deploy Trinity (aka\r\nFrameworkPOS) PoS malware to steal magnetic-stripe payment card data. FireEye was able to document FIN6\r\ncriminals’ ability to amass 20 million bank card records from one incident. FireEye said the cards stolen, in that\r\ninstance, were predominantly from U.S. victims.\r\nOnce Trinity identifies bank card data, “it copies and encodes it to a local file in a subdirectory of the c:\\windows\\\r\ndirectory while attempting to conceal these files with .dll or .chm extensions,” according to the report. In one\r\nparticular case, researchers say, FIN6 compromised and deployed Trinity on 2,000 systems, resulting in millions\r\nof exposed cards.\r\nSo what does a crook do with millions hot credit card numbers that are losing value every hour after they have\r\nbeen stolen? Sell them on the black market. That’s when FIN6 calls in the expertise of a digital fence that deals\r\nwith laundering stolen credit card data.\r\n“In reality, the shop would typically only make a fraction of this figure ($400 million), since not all the data would\r\nbe sold (laundering stolen cards is typically much harder than stealing them), buyers want the newest data they\r\ncan get (data that has been on the shop for a while loses its value), and the shop offers discounts based on various\r\ncriteria. Still, a fraction of $400 million is a significant sum,” according to FireEye’s report.\r\nThe operators of the underground card shops, FireEye said, hung online shingles in geographies where law\r\nenforcement is ill equipped to track them down or within anonymous networks such as Tor.\r\nSource: https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/\r\nhttps://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/" ], "report_names": [ "117595" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434372, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/afc4a4ef39388a8e16eeb82b4119890179f83032.pdf", "text": "https://archive.orkl.eu/afc4a4ef39388a8e16eeb82b4119890179f83032.txt", "img": "https://archive.orkl.eu/afc4a4ef39388a8e16eeb82b4119890179f83032.jpg" } }