Cybercrime operations can be intricate and elaborate, with careful planning needed to navigate the various obstacles separating an attacker from a payout. Yet reports on these operations are often fragmentary, as the full scope of attacker activity typically occurs beyond the view of any one group of investigators.

FireEye Threat Intelligence and iSIGHT Partners recently combined our research to provide a unique and extensive look into the activities of one particular threat group: FIN6.

FIN6 is a cyber criminal group that steals payment card data for monetization from targets predominately in the hospitality and retail sectors. The group was observed aggressively targeting and compromising point-of-sale (POS) systems and making off with millions of payment card numbers. These card numbers were later sold on a particular underground “card shop,” potentially earning FIN6 hundreds of millions of dollars.

This report provides wide-ranging, end-to-end visibility into FIN6’s cybercrime operations, detailing initial intrusion, methods used to navigate the victim network, other tactics, techniques, and procedures (TTPs), and the sale of stolen payment card data in an underground marketplace.