FIN7 Hackers Recruit Through Fake Company | Cyberattack News

FIN7 Employs Deceptive Tactics to Expand Ransomware Operations

A Russian-linked hacking group, known as FIN7 and motivated by financial gain, has established a fraudulent company. This scheme aims to attract unsuspecting IT professionals to bolster their ransomware capabilities, as discovered by security researchers.

Operating Under False Pretenses: Bastion Secure

Researchers from Recorded Future’s Gemini Advisory unit have revealed that FIN7, previously notorious for compromising point-of-sale systems and illicitly obtaining over $1 billion through credit card theft, is currently operating under the alias Bastion Secure.

Bastion Secure presents itself as a provider of specialized cybersecurity services for the public sector. Its website is designed to appear legitimate and trustworthy.

Mimicking Legitimate Businesses

The research indicates that FIN7 is leveraging publicly accessible information from established, genuine cybersecurity firms. This includes phone numbers, office addresses, and copied website content to create an illusion of authenticity.

For instance, Bastion Secure’s website falsely claims to have received the “Best Managed Security Service” award at the SC Magazine awards in 2016. It also asserts a fabricated acquisition of its consultancy division by Six Degrees in the same year.

Website Replication and Hosting

Analysis of the fake company’s website revealed substantial replication from the website of Convergent Network Solutions, a legitimate cybersecurity organization. The site is hosted on Beget, a Russian domain registrar frequently utilized by cybercriminals.

Furthermore, certain submenus on the fraudulent website redirect to Russian-language “page not found” errors, potentially indicating the Russian-speaking origins of the site’s creators.

Browser Warnings and Job Postings

As of the current date, both Chrome and Safari browsers have flagged the site as “deceptive” and blocked access.

The advertised job vacancies at Bastion Secure appear legitimate, seeking programmers, system administrators, and reverse-engineers. The job descriptions closely resemble those found in typical cybersecurity companies.

Recruiting for Cybercriminal Activity

Recorded Future asserts that FIN7, operating as Bastion Secure, intends to assemble a team capable of executing a variety of cybercriminal tasks.

Ransomware is a key focus, with the researchers noting that system administrators are particularly valuable due to their ability to deploy ransomware attacks.

Revealing the True Nature of the Operation

The interview process itself raised red flags. While the initial stages appeared normal, the third stage, involving a “real” assignment, exposed the criminal intent.

Researchers determined that the company was engaged in illicit activities, with a particular interest in file systems and backups – a clear indicator of ransomware attack planning.

Utilizing Known Hacking Toolkits

A Recorded Future researcher, offered a position at Bastion Secure, analyzed the provided tools. These tools were identified as components of the Carbanak and Tirion (Lizar) post-exploitation toolkits, previously linked to FIN7 and used for both point-of-sale hacking and ransomware deployment.

Cost-Effective Talent Acquisition

Recorded Future suggests that FIN7’s use of a fake cybersecurity company is driven by a desire for affordable, skilled labor.

Job offers at Bastion Secure ranged from $800 to $1,200 USD per month, a viable starting salary in post-Soviet states. This allows FIN7 to secure the necessary talent while maximizing profits.

Previous Deceptive Practices

This is not the first instance of FIN7 employing such tactics. The group previously operated under the guise of “Combi Security” before public scrutiny forced its closure.

Avoiding Law Enforcement Scrutiny

Brett Callow, a ransomware expert at Emsisoft, explained to TechCrunch that the Bastion Secure facade likely aims to evade law enforcement attention.

“Hiring from the dark web presents risks, as applicants could be undercover law enforcement. Standard job ads mitigate these risks, and the fake company may also facilitate money laundering,” Callow stated.

Misleading employees is also a concern, as they may unknowingly conduct penetration testing on unwilling targets.