Threat Intelligence Tarot
pentacles · 10
Criminal (Eastern European, suspected)
G0053★★★★★
risk 3/5
✦ The Payment Card Ghost ✦
FIN5
Retail POS systemsHospitalityGamingUS businesses
Active since ~2008 · Payment card data theft, POS system compromise, Long-term persistent access
The Payment Card Ghost operates quietly, methodically, and for years. It enters retail networks through remote access tools, waits, and scrapes payment card memory at the moment of swipe. It deletes logs. It leaves nothing. Only when the cards appear on dark web markets do investigators trace backward to find it was there at all.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Persistent POS compromise campaigns across US retail (2008–2017)
- ◆FLIPSIDE memory-scraping POS malware deployment
- ◆VNC remote access tool used for persistent access and lateral movement
- ◆Careful log cleaning and evidence destruction post-exfiltration
Defenses
- ▸POS memory scraping protection and file integrity monitoringPCI DSS
- ▸Remote access tool allowlisting for POS network environmentsCIS Control 2 ↗
- ▸Network segmentation isolating POS from corporate networkPCI DSS Requirement 1
- ▸Centralized logging that POS systems cannot modify or deleteCIS Control 8 ↗
Reversed: Their Weakness
FIN5's extreme focus on evidence destruction - thorough log cleaning, careful tool removal - paradoxically made incident response more expensive and less complete, generating insurance claims and regulatory action that attracted exactly the law enforcement attention its tradecraft was designed to avoid.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.