Threat Management

Vendetta Brothers scalable POS campaign revealed

Security researchers have uncovered a detailed cybercrime campaign against point-of-sale (POS) systems managed by two entrepreneurial criminals who have instituted the best practices of the global economy.

The cybercrime group, dubbed the “Vendetta Brothers,” has created a sophisticated and streamlined operation, according to a report published by FireEye iSIGHT Intelligence.

The criminals have developed a complex structure that allows the criminals to launch attacks against POS machines, located primarily in the United States and Nordic countries. The operation steals credit and debit card information and sells that information in underground markets.

The criminals, known by their hacker monikers “1nsider” and “p0s3id0n,” have implemented corporate best practices, including outsourcing lead generation and developing partnerships with other cybercriminals “to boost the scale of their operation,” Will Glass, threat intelligence analyst at FireEye, told The individuals appear to operate from Spain and Eastern Europe, Glass said.

While the operation is relatively small, it provides “the most insight into the specific business operations” of cybercriminals,” said Glass, speaking with The Vendetta World forum offered more than 9,400 stolen payment cards from 639 banks in 40 countries in early 2016, according to the firm's “Vendetta Brothers, Inc. – A Window Into the Business of the Cybercriminal Underground” report. By way of comparison, some of the larger groups that the researchers have observed offer “hundreds of thousands or even millions” of payment cards, he added. “They have found a way for just two people to run an entire scheme.”

The operation embodies the “don't work harder, work smarter” ethos, he added.

The duo recruited outsourced labor and cybercrime partnerships as “an extra barrier” that protected the operation from law enforcement. These partners were recruited through advertisements on the Dark Web to implant malware onto POS terminals, launch phishing attacks, or to install physical skimmers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.