Meet Vendetta Brothers Inc., a small-time cybercrime ring that has mastered the art of compromising point-of-sale systems and selling the data online. The group, named after its “Vendetta World” underground marketplace, is unique because of its ability to adopt real-world criminal tricks of the trade and apply them online.
Researchers at FireEye say the Vendetta Brothers are two crooks who go by “1nsider” and “p0s3id0n” who outsource most of their work to other attackers.
“We have observed the pair using practices more commonly seen in legitimate business and organized crime, including outsourcing, partnerships, diversifying their market, and insulating liability,” wrote researchers in a profile of the Vendetta Brothers published Thursday.
The hallmark of the group is that it works smart, not hard, and targets point-of-sale systems by outsourcing the heavy lifting when it comes the tedious and lower-margin tasks of locating, identifying and exploiting payment systems, according to Will Glass, a threat intelligence analyst at FireEye.
“These people who they hire have no connection back to them and have no knowledge of the fact they are working with the Vendetta Brothers,” Glass said. “So if investigators discover one small aspect of the operation they are aren’t going to suffer a big loss.”
The Vendetta Brothers have typically targeted victims in the U.S., Sweden and Norway. Since the firm began tracking the group, it’s estimated that the Vendetta World marketplace for stolen bank card data contains about 9,400 payment cards representing 640 banks from 41 countries.
Glass said the group is far from the largest of POS cybercriminals that FireEye has tracked. Stolen card shops, he said, can offer hundreds of thousands of payment card numbers for sale. But the Vendetta Brothers uniquely illustrate how some online criminal enterprises are leveraging brick-and-mortar criminal tactics.
“These are two guys have figured out how to get other people to do their dirty work. They earn a substantial amount of the profit and take a nominal amount of risk,” Glass said. In the real world, he said, these criminal tactics are more commonly associated with organized crime.
Starting with outsourcing, the Vendetta Brothers regularly solicit the help of others via advertisements on the dark web. Ads typically seek cybercriminals who already have gained remote access to POS terminals, systems or data. The Vendetta Brothers will pay for that access and offer to help with the exfiltration of bank card data with its optimized malware.
When it comes to finding new targets, rather than developing their own list of potential phishing targets, the Vendetta Brothers rely on spamming services to send emails with Word document attachments that download malware, according to the firm.
The group is also known to install physical bankcard skimmers that include well placed video cameras that capture payment card data as well as PINs.
“Rather than relying on a single method, these criminals have diversified their capabilities to respond to discovery, attribution, or remediation,” wrote researchers. By outsourcing much of the grunt work the Vendetta Brothers not only pass the hard work to others, but also the risks.
This tactic helps them focus on what they do best, reaping the rewards of stolen payment card information, Glass said.
FireEye researchers say the Vendetta Brothers use a customized version of the BetaBot malware in its outsourced spam campaigns. Samples of malicious spam found by the firm have included malicious Word documents passing themselves off as resumes. Once opened, the Word document uses a malicious macro that downloads and runs BetaBot from a staging server.
Next, BetaBot calls out to a set of three command-and-control servers to download more malware. One piece of malware is the utility PsExec that allows a user to execute commands on a remote computer. The second is a file designed to interact with BetaBot that gives it instructions to spread laterally to other systems on the POS network.
Researchers have identified a third piece of malware used by the Vendetta Brothers called VendettaPOS, a memory scraper that searches POS system memory for Track 1 and Track 2 payment card data. According to the firm, VendettaPOS shares 98 percent of its code with Dexter POS malware samples it has analyzed.
Researchers say the VendettaPOS C2 infrastructure shows overlap with the Vendetta World store front on the dark web. Following this lead, researchers said they spotted yet another memory scraping malware called CenterPOS used by the pair.
“Despite the Vendetta Brothers’ relatively small operation, they nonetheless emulate proven practices from both business and organized crime that indicate thoughtful planning on how to maximize profit and minimize risk,” FireEye wrote.