FILE PHOTO: A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.
Cybercriminals began siphoning off a considerable portion of COVID unemployment subsidies as soon as state governments began disbursing them in 2020, experts say (Photo: Kacper Pempel/Illustration/Reuters)

Security experts have discovered that FIN7, a financially motivated Russian hacking gang, has put up a fake company to entice unknowing IT workers into backing its continued expansion into ransomware.

FIN7, which is infamous for hacking into point-of-sale registers and stealing over $1 billion from millions of credit cards, is now operating under the guise of Bastion Secure, according to researchers at Recorded Future's Gemini Advisory unit.

The group has been tied to hacks against hundreds of companies worldwide, including major retailers' point-of-sale systems. The threat outfit is also suspected of creating the software that was used in the Colonial Pipeline attack, which temporarily shut down pipeline operations and hampered gasoline distribution to areas of the Southeast earlier this year.

Bastion Secure's website appears to be authentic. However, the analysis discovered that FIN7 is creating an air of legitimacy by leveraging real, publicly available information from existing, legal cybersecurity organizations - phone numbers, office locations, and language scraped from genuine websites.

Bastion's website states that the fictional company's advisory branch was acquired by Six Degrees in 2016, and that it won "Best Managed Security Service" at the SC Magazine awards in 2016. Neither of these statements are true.

The fake company's website, according to Recorded Future, is substantially cloned from the website of Convergent Network Solutions, a legitimate cybersecurity firm.

According to the researchers, the site is housed on the Russian domain registrar Beget, which is frequently used by hackers, and some of the bogus company's submenus return a Russian-language "page not found" error, which could imply that the site's designers are Russian speakers.

A Gemini source applied for a job at the phony company while investigating Bastion Secure. While the first two stages comprised conventional interview tasks for IT professionals, the third stage "became immediately clear the company was involved in criminal activity," researchers noted.

"The fact that the Bastion Secure representatives were particularly interested in file systems and backups signals that FIN7 was more interested in conducting ransomware attacks than POS [point of sale] infections," the team wrote.

It's not the first time FIN7 has pretended to be a legitimate company; the group previously posed to be "Combi Security" before being forced to shut down due to negative attention.

As of writing, both Chrome and Safari have blocked access to the "deceptive" site.