small, yet very sophisticated group of cyber-criminals named the Vendetta Brothers is behind numerous attacks on PoS systems and ATMs across the US and Scandinavian countries.
Because they lacked the resources to create and operate their own international cyber-crime syndicate, the group used Crime-as-a-Service (CaaS) offerings advertised on the Dark Web to create a modular cyber-crime operation, of which they were in control.
The group’s two members, known as “Insider” and “p0s3id0n,” hired other cyber-criminals to provide niche services, which they combined into a well-oiled cyber-crime machine that used to target point-of-sale (PoS) systems and ATMs across the US, Finland, Norway, Sweden, and Denmark.
Their activities looked like the regular operation of a normal business. The Vendetta Brothers would outsource the creation of malware and spear-phishing emails to other groups, while also entering partnerships with other cyber-criminals for all sorts of services.
For example, the two partnered with other hackers who had previously gained access to PoS systems. They paid these hackers for access to their terminals, where they infected the systems with their own PoS malware versions named VendettaPOS and CenterPoS.
The group wrote their own malware, but also outsourced most of the work. They also tried their hand at spamming victims and compromising PoS systems, but they also bought leads from other spam services from the Dark Web.
Furthermore, the group expanded into other types of financial crime and also partnered with criminals that deployed skimmers and hidden video cameras at real-world ATMs.
The credit card numbers acquired from infected PoS systems and ATM skimmers, along with PINs (where available), were then made available for purchase online via their own online store called the Vendetta World.
FireEye, who discovered the group’s activities, says that in early 2016, the Vendetta World shop contained more than 9,400 payment cards with more than 2,000 bank identification numbers from 639 banks in 40 countries.