FIN6 is a financially motivated threat actor group in operation since at least 2015. The group has compromised multiple point-of-sale (POS) environments using the TRINITY POS (aka FrameworkPOS) malware. In September 2017, forensic investigations of several undisclosed entities revealed evidence that FIN6 actors changed to target card-not-present (CNP) data when they could not deploy their malware in the POS environment. Evidence shows that FIN6 injected malicious code into the merchants’ eCommerce environment, placing skimming malware on the victims’ checkout pages. Based on Visa Payment Fraud Disruption’s (PFD) analysis of eCommerce compromises throughout 2018, FIN6’s focus on the CNP environment has only amplified, suggesting that the cybercrime group has fully incorporated targeting CNP environments into their criminal methodology.
Visa recommends clients take the following actions to mitigate against these threats:
• Institute recurring checks in local networks for IOCs provided in this report.
• Verify the implementation of required security patches: Payment Card Industry Data Security
Standard (PCI DSS) requires that all system components and software are protected from known
vulnerabilities by installing security patches. Visit the Payment Card Industry Security Standards
Council (PCI SSC) website for more information.
• Regularly scan and test eCommerce sites for vulnerabilities or malware. Hire a trusted
professional or service provider with a reputation of security to secure the eCommerce
environment. Ask questions and require a report of what was done. Trust, but verify the steps
taken by the company you hire.
• Consider using a fully-hosted checkout solution where customers enter their payment details
on another webpage hosted by that checkout solution, separate from the merchant’s site. This is
the most secure way to protect the merchant and their customers from eCommerce skimming
malware. Hosted checkout forms embedded inline on the merchant’s checkout page, such as Visa
Checkout, are another secure option.
• Use a Payment Card Industry Data Security Standard (PCI DSS) validated third-party service
provider to store, process or transmit cardholder data. Criminals commonly target merchant
websites that process payment data. When merchants use a validated and secure service provider,
risk exposure for CNP fraud and compromise decreases. A list of validated, registered service
providers is available on the Global Registry of Service Providers.
• Comply consistently with industry security standards, such as the Payment Card Industry Data
Security Standard (PCI DSS), including the PCI Best Practices for Securing e-Commerce, January
• Set up a Web Application Firewall to block suspicious and malicious requests from reaching the
website. There are options that are free, simple to use, and practical for small merchants.
• Limit access to the administrative portal and accounts to those who need them.
• Require strong administrative passwords (use a password manager for best results) and enable
• Regularly ensure shopping cart, other services, and all software are upgraded or patched to
the latest versions to keep attackers out.
• Monitor for suspicious activity—create and regularly check logs and receive alerts if changes to
the site are made.
• Ensure staff are trained in security best practices and follow the designated procedures.