The Rising Threat of FIN6 and Its Phishing Tactics
Understanding FIN6’s Modus Operandi
The cybercrime group FIN6, notorious for its financially motivated attacks, is employing an increasingly sophisticated method to achieve its goals. Recent reports indicate that this group has been using fake resumes hosted on Amazon Web Services (AWS) to introduce malware known as More_eggs. By mimicking job seekers and interacting with recruiters on platforms such as LinkedIn and Indeed, FIN6 builds a credible rapport before launching phishing attacks.
The Mechanics of More_eggs Malware
The More_eggs malware is part of a broader toolkit developed by another cybercrime outfit, Golden Chickens, also referred to as Venom Spider. This JavaScript-based backdoor provides advanced capabilities, allowing criminals to steal login credentials, access systems, and execute further attacks such as ransomware deployment. The connection between FIN6 and More_eggs underscores a troubling trend where cybercriminals continually adapt their strategies to exploit vulnerabilities in the job market and online platforms.
The Historical Context of FIN6
FIN6 has been operational since 2012 and has a well-documented history of targeting point-of-sale (PoS) systems, primarily in the retail and hospitality sectors. Their initial aim was to capture payment card information to generate illicit profit. Over the years, they have evolved their tactics, including the use of Magecart JavaScript skimmers aimed at e-commerce sites to extract sensitive financial data from unsuspecting customers.
Recent Activities
According to Visa, the group has utilized More_eggs since at least 2018, focusing on infiltrating e-commerce platforms to inject malicious JavaScript. Their end goal remains consistent: capturing payment card data. Reports reveal that FIN6 has monetized stolen data through various channels, including selling it on dark web marketplaces like JokerStash before it was shut down in early 2021.
The latest tactics employed by FIN6 involve sophisticated social engineering. By creating fake profiles as job seekers and initiating conversations with recruiters, they direct potential victims to links that seem to host their resumes. These links—such as bobbyweisman[.]com and ryanberardi[.]com—masquerade as trustworthy personal websites.
Techniques for Evasion and Obfuscation
To make their operations more difficult to trace, FIN6 has registered these malicious domains anonymously through GoDaddy, utilizing domain privacy services. This approach effectively shields their true identities, complicating efforts for cybersecurity teams to address the threat. Although GoDaddy is a reputable domain registrar, its privacy features are sometimes exploited by malicious actors to obscure their registrations.
FIN6’s use of trusted cloud services like AWS Elastic Compute Cloud (EC2) or S3 for hosting these phishing sites significantly enhances their evasion tactics. These sites are equipped with traffic filtering systems that ensure only targeted individuals can access the malicious payload. Once a potential victim interacts with the site, they often face a CAPTCHA challenge, designed to filter out less desirable traffic.
Specific Targeting Techniques
The approach is further refined to allow downloads of the malicious document solely to users perceived to be on residential IP addresses using common Windows-based browsers. If a visitor is identified as coming from known VPNs, cloud infrastructure, or corporate security scanners, they will only receive a harmless plain-text version of the supposed resume.
When a victim successfully downloads the disguised ZIP archive, opening it triggers a sequence that installs the More_eggs malware onto their system. This strategic deployment highlights how effectively low-complexity phishing can become when integrated with advanced technology and infrastructure.
Implications for Cybersecurity
FIN6’s Skeleton Spider campaign serves as a stark reminder of how cybercriminals continue to evolve in their phishing techniques. By leveraging seemingly mundane job lures and sophisticated evasion tactics, they remain ahead of detection tools employed by cybersecurity professionals. This evolving landscape calls for heightened vigilance and innovative strategies within the cybersecurity community to effectively combat these genuine threats in the digital workforce.
