The threat group FIN6 is using social engineering tactics to distribute malware called More_eggs via fake resumes hosted on AWS. They infiltrate recruitment platforms like LinkedIn and Indeed, initiating conversations with recruiters to build trust before sending phishing messages. More_eggs is a JavaScript backdoor that allows credential theft and subsequent cyberattacks. Originally targeting PoS systems, FIN6 also uses techniques like JavaScript skimming to harvest payment card information, which they monetize through sales on various marketplaces.
By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware.
Stolen payment card data is later monetized by the group, sold to intermediaries, or sold openly on marketplaces such as JokerStash, prior to it shutting down in early 2021.
Collection
[
|
...
]