Spread the Microsoft Word

Alexander Freund

You have probably never heard of the organization called FIN7.  Although estimates vary, FIN7, a very organized and successful Ukrainian based hacking group, has probably earned well over a billion dollars (with a B) from businesses all over the world.  It appears that stolen credit cards were their primary revenue generator, but the full scope of the operation and its capabilities remain clouded by a criminal investigation after three high-profile members were caught, arrested, and indicted in the US.  What is clear, and the purpose of this blog posting is that FIN7’s preferred tool for gaining entry into the IT infrastructure of targeted businesses was Microsoft Word.  I would like to acknowledge the really great article in Wired last month which inspired me to write this piece, and spread the “word”.  You can follow the URL below for the original article:

https://www.wired.com/story/fin7-wild-inner-workings-billion-dollar-hacking-group/?mbid=email_onsiteshare

FIN7 generally followed the same formula, always starting with an email.  It would appear the group was targeting businesses that typically handle lots of customer service complaints, and disguised their emails as customers reaching out with a question or a complaint.  Generally, another email followed with an attached MS Word document with details of the complaint, reservation request, etc.  Once these attachments were opened, the unsuspecting representative’s computer was added to a bot network with command and control malware.  From there, additional computers were compromised, files were copies, screenshots and video of the workstation were captured to steal additional credentials and any other valuable information.

I have been posting and speaking about the importance of security awareness training, and more specifically anti-phishing training as a new requirement for EVERY business.  It isn’t expensive (average of about $2.00/user/month).  The companies that do this training essentially send specially crafted phishing emails on a continuing basis trying to get your employees to click on the links.  If anyone clicks on one of the links, they are notified that they got “phished”, and redirected to training videos and content.  These companies also track statistics for your staff and provide trending reports so you can see the improvement over time.  What I really like about this type of continuous training is that your new hires are immediately added to the program, so it’s not like trying to do the training once or twice a year.

In the case of FIN7, there was no way for the victims to tell that these were phishing emails, as customer complaints can come from anywhere.  However, one idea that I think bears further consideration is removing attachments from all internet email (email coming from outside an organization), especially for vulnerable staff like customer service representatives that should not be handling attachments at all.  Either way, I can tell you that I won’t be opening any Word documents that I am not specifically expecting from a third party.

Share this post