FIN7 Sets Up Fake Pentesting Company Site to Recruit TalentThe Cybercrime Group Posted Job Advertisements on Russian Job Portals
FIN7, a financially motivated threat group that has been targeting the U.S. retail, restaurant and hospitality sectors for about six years, has set up a website posing as a security company to recruit talent, according to fraud intelligence company Gemini Advisory.
The threat group advertised job openings for a fake company called Bastion Secure on Russian job portals, the report says. The aim of the scam, it adds, was to lure security researchers who could help the group with penetration testing-related activities to enable ransomware attacks.
Gemini Advisory discovered the scam when a source told the company that they were contacted by Bastion Secure to apply for the position of an IT specialist. Although the website appeared legitimate on the surface, an analysis of its source code showed that it was fake, the researchers say. In fact, its code was identical to that of the legitimate cybersecurity company Convergent Network Solutions, they add.
Most pages on the website returned a 404 error drafted in Russian, implying its creators' origin, the researchers note. In the past, the FIN7 group has carried out similar scams. In 2018, its fake company Combi Security, which purported to be a penetration testing and security consultancy, was brought to light by prosecutors who believed that the company was an attempt "to add a thin veil of legitimacy to the hacking scheme." (see: Feds Announce Arrests of 3 'FIN7' Cybercrime Gang Members).
Another pointer to FIN7's involvement, according to the researchers, was the gang leveraging Russian job portals such as zoon.ru for its recruitment process. During the Combi Security scam, the threat group had posted job ads on Russian, Ukrainian and Uzbek job recruitment sites, they say.
The links on the job portal directed users to the now-blocked website www[.]bastionsecure[.]com. Archived records from Thursday, reviewed by Information Security Media Group, show that the threat actors, posing as Bastion Secure, said in the job ads that they were recruiting reverse engineers, system administrators and PHP, Python and C++ programmers.
The footer of the website offered contact details for potential employees, including an email address and an Israeli phone number. The Wall Street Journal says it did not receive a response when it wrote to the email address but when it called the phone number, a Russian-speaking individual on the receiving end of the call said: "I'm just a person. I have nothing to do with any cybersecurity company."
The Recruitment Process
Using the information shared by the unidentified Gemini Advisory source, who was contacted by Bastion for a job, the researchers explained the three stages of the recruitment process:
Stage 1: HR Interview
A person posing as a HR representative from Bastion Secure contacted the Gemini Advisory source and asked them if they were interested in working as an IT specialist for the company. Once the source showed interest, they were interviewed on messaging platform Telegram. After the interview, they were asked to submit test assignments, sign a nondisclosure agreement and download several virtual machines on their computer.
Stage 2: Assignments
In the second stage, the source was asked to install specific platforms and submit assignments "typical for the position," according to the researchers. Bastion also warned the source against installing antivirus software on the device and advised them to only use company-prescribed tools or face hefty fines. Individuals interested in learning new tools were provided additional resources that could be used for both legitimate penetration testing and malicious activity. The Bastion Secure representative told the source that the tools would help them manage their client’s systems and secure themselves.
Stage 3: 'Real-World' Assignments
In the third and final stage of the interview process, the source was given a "real-world" assignment, in which they were asked to conduct a penetration test against one of Bastion Secure's customers, the researchers say. According to the researchers, this alerted the source, who told the researchers that Bastion Secure provided access to a customer’s network without any legal trail or documentation and were only interested in file systems and backups.
According to the researchers, this move implies that "FIN7 has continued to expand into the ransomware sphere." Nick Carr, a security analyst at Microsoft, said at the Mandiant Cyber Defense Summit in September that FIN7 had produced the software used in the hack that disrupted Colonial Pipeline Co.’s operations, The Wall Street Journal said.
Old Tactic, New Twist
Although the process is not new, it is interesting to see how threat groups filter out unsuitable candidates, says Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4.
"This [the recruitment scam] has been going on for decades, especially in India, Russia and China. All the big job sites are full of positions for malicious companies. What is interesting is how quickly they filter out a candidate who has ethics and is interested in not breaking the law," he tells ISMG.
"The malware companies are looking for the strongest developers they can get, so they advertise all the right skills and requirements for the job. When they connect to a candidate and start the initial interview, if the candidate asks any questions that might indicate that the candidate might have a problem with the intent of what they might be doing, they are immediately cut off," he adds.
Recruiting security professionals to do the hard work of gaining access to a target - who will then be set up to take the fall for any criminal involvement detected - is, "in a way, brilliant," says Chris Clements, vice president of solutions architecture at Cerberus Sentinel.
"Given the low amount of pay advertised, the recruitment targets are likely low-skilled or in very poor areas of the world. Experienced penetration testers in the developed world can command salaries many times what FIN7 appears to have offered. Still, this points to ransomware gangs more and more turning to targeted attacks against specific victims rather than haphazard 'spray and pray'-type approaches to compromising targets," he tells ISMG.
Gemini Advisory sent law enforcement agencies a copy of the report that it says was redacted only for public viewing to protect its source.
As a preventive measure, search engine giant Google added the www[.]bastionsecure[.]com domain name to its blacklisting service Safe Browsing. Those who try to access the website receive a "Deceptive site ahead" warning.