VERY IMPORTANT

FIN6 is a financially motivated threat actor group in operation since at least 2015. The group has compromised multiple point-of-sale (POS) environments using the TRINITY POS (aka FrameworkPOS) malware. In September 2017, forensic investigations of several undisclosed entities revealed evidence that FIN6 actors changed to target card-not-present (CNP) data when they could not deploy their malware in the POS environment. Evidence shows that FIN6 injected malicious code into the merchants’ eCommerce environment, placing skimming malware on the victims’ checkout pages. Based on Visa Payment Fraud Disruption’s (PFD) analysis of eCommerce compromises throughout 2018, FIN6’s focus on the CNP environment has only amplified, suggesting that the cybercrime group has fully incorporated targeting CNP environments into their criminal methodology.