- Aug 17, 2014
The financial cybergang known as the FIN6 group, known for going after brick-and-mortar point-of-sale (PoS) data in the U.S. and Europe, has changed up its tactics to target e-commerce sites.
According to researchers at IBM X-Force Incident Response and Intelligence Services (IRIS), FIN6 (a.k.a. ITG08) has been spotted injecting malicious card-skimming code into online checkout pages of compromised websites. The code steals payment-card data as it’s entered into shopping-cart forms.
However, that’s only part of the story. To inject the code, FIN6 first gains access to a target environment to install a backdoor – before pivoting and stealing additional information from throughout the victim network.
The backdoor code is the More_eggs JScript backdoor malware (a.k.a. Terra Loader or SpicyOmelette), according to IRIS.
In a recently observed campaign, FIN6 began the campaign with targeted emails.
“We believe ITG08 is actively attacking multinational organizations, targeting specific employees with spearphishing emails advertising fake job advertisements,” according to a Thursday writeup by IRIS.