They Hacked Chipotle and Red Robin, Now They Are Eating Jail Food

I'm not going to lie, this story might make you hungry. Or possibly hangry.

U.S. officials have just charged three people who were part of hacks against approximately 100 companies including Chili's, Arby's, Red Robin, Jason's Deli, and Chipotle.  

Chipotle? We have no idea if they added the queso.

Seriously.

Take out orders were one of the group's top ways to get access into corporate networks. 

Now, "three high-ranking members" of the FIN7 hacking group are eating jail food.

One is in Seattle, having been extradited from Germany, and two others are awaiting extradition to the United States. One is in jail in Poland, and another is in Spain.

7 things to know about the FIN7 hacking group

1. Accused of hacking computer networks in 47 states (94% of states!) and the District of Columbia, along with companies in the United Kingdom, Australia, and France.
2. They started attacks with a customized phishing email. "Take out order for tomorrow at 11" is an example:
   
3. Typically, they'd follow up with a phone call to the establishment, letting them know they'd sent an email order and asking them to confirm it.
4. When the employee opened the attachment, FIN7 command and control servers, hosted around the world, installed a customized version of malware called Carabank onto the victim's computer.
5. The malware and other related tools allowed the hackers to conduct surveillance on employees, take screenshots, record videos of desktop activity, enable them to steal credentials, move across a company's network, and then steal data, including millions of credit card numbers.
6. The stolen credit card, debit card, and gift card numbers were sold on the Dark Web. The buyers of these stolen numbers could then go shopping and surprise credit card companies and customers who had charges they never made mysteriously pop up on their statements. 
7. Recruitment: Ever wonder how a hacking group recruits members? In this case, U.S. prosecutors say the group set up a fake cybersecurity company website. "FIN7 used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise."

In a world where cybercrime does pay without consequences in too many cases, U.S. Attorney Annette Hayes says this is an effort to push back. "Cybercriminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong."

FIN7 is likely still operating, but the group has allegedly lost one of its hackers, a hacker-group supervisor, and a system administrator. The first trial is scheduled to begin in Seattle on October 22, 2018.