Three members of the notorious hacking syndicate known as Carbanak have been arrested for stealing 15 million payment cards from thousands of point-of-sale machines across the world.
The Carbanak gang, also known as Fin7, have been active since at least 2015, and used their hacking activities to steal payment card records from as many as 6,500 point-of-sale terminals, federal officials said. Targeted companies include fast-food chains such as Chipotle, Red Robin, Arby’s and Chili’s, as well as hotels and casinos.
The Carbanak gang relied on a combination of phishing emails and phone calls. For example, a business might receive a legitimate-looking email about a catering request or hotel reservation with a malicious Word document attached. The hackers can then go as far as to call up the business and trick an unwitting employee to open the phishing email and load the malicious attachment.
Once infected, the victim’s computer can be exploited to run other malware that can be used to scan for other vulnerable systems, like point-of-sale machines. The hackers will then steal any payment card numbers, with the goal of selling the goods on digital black markets.
The payment card theft touched 47 states in the US, and also involved intrusions in the UK, Australia, and France. It isn’t clear how federal investigators identified the suspects. But according to the indictments, members of the Carbanak gang often communicated over a private HipChat server, where they shared files containing the malware. They also set up other servers and email accounts through sites such as Yahoo to help plan and operate their schemes.
All three suspects named in Wednesday’s indictments were arrested in Europe. One suspect, Fedir Hladyr, is currently detained in Seattle pending trial; the other two, Dmytro Fedorov and Andrii Kolpakov, are awaiting extradition to the US. The US has charged them with computer hacking, wire fraud, identity theft and other crimes. If found guilty, the suspects could face decades in jail time, according to US officials.
However, the investigation into the Carbanak gang remains ongoing. Federal officials believe the gang may number in the dozens. The group has allegedly operated through a front company called Combi Security, which is headquartered in both Russia and Israel and specializes in IT security testing.
It also isn’t clear if the gang was involved in any other cyber heists. Other iterations of the Carbanak malware have been involved in attacking banks, but it’s possible those attacks may have been spearheaded by a separate group.