The Russia-based cybercrime group Fin7, famous for phishing and malware attacks resulting in $3 billion in losses since 2013 has resurfaced and are active in 2024. They were declared inactive by U.S. authorities in 2023. But now they have set up thousands of fake websites with the support of Stark Industries Solutions, hosting provider linked to numerous cyberattacks.
Security firm Silent Push has identified over 4,000 hosts linked to Fin7 which uses various tactics like typosquatting, malicious ads, browser extensions, and spearphishing to target sites including American Express, Google, Microsoft 365, Netflix, and many more.
Most Common types of techniques they use are:
- Typosquatting: Fin7 registers domains similar to popular software tools, promoting them via Google ads to appear above legitimate sources in search results.
- Malicious Extensions: The group uses sponsored ads to prompt downloads of fake browser extensions that install malware.
In their previous campaigns, Fin7 was responsible for data breaches at Chili’s, Arby’s, Saks Fifth Avenue and many more. They were also possible for starting a targeted email campaign to trick employees involved with SEC filings into giving up sensitive information. FIN7 started using a new ransomware called ALPHV, which was offered as a service to other criminals. In February 2023, FIN7 was identified as the group behind a ransomware attack on Munster Technological University in Ireland.
In their current campaign, Fin7 is targeting tourists visiting France for the Summer Olympics, with phishing sites posing as ticket vendors for the Louvre.
Silent Push hopes that law enforcement will recognize Fin7’s renewed activity and take action. The cybersecurity community is encouraged to investigate and mitigate Fin7’s infrastructure.
