Financially motivated FIN7 is trying to recruit unsuspecting pentesters, via a fake firm, to participate in ransomware schemes on targeted networks.

What has happened?

Researchers from Gemini Advisory have discovered the fake firm named Bastion Secure being leveraged by attackers to lure software engineers and security experts.
  • On their website, the attackers posted about genuine hiring opportunities for PHP, Python, and C++ programmers, along with reverse engineers and system administrators, on various popular job boards.
  • Criminals offered salaries that varied between $800 and $1,200 a month for IT specialists, comparatively a much less amount than what a group generally makes per attack but a viable salary for beginners in post-Soviet states.

Highly convincing websites

Attackers have reportedly used public information from multiple genuine cybersecurity firms to provide a touch of legitimacy to fool individuals.
The website of this fake security firm consists of content stolen mostly from the website of Convergent Network Solutions, a cybersecurity company claiming to offer pentesting services.

The hiring process

  • During the interview process, attackers offer the applicants multiple tools for practice assignments.
  • These tools were components of the post-exploitation toolkits Carbanak and Lizar/Tirion, previously linked to FIN7.
  • In the next step of the hiring process, prospective candidates are provided with access to some company network (the real victims) and the candidates are asked to collect information on domain administrators, file systems, and backups.


It's not the first time that the FIN7 group has created a fake site. The group was previously linked to another fake cybersecurity firm, Combi Security, that was promoting fake penetration testing services. Using fake cybersecurity firms to recruit software engineers allows cybercriminals groups to work with fresh bright minds, who may not know anything suspicious is going is behind the scenes. People looking for job opportunities should stay cautious of similar attempts and investigate properly about a firm before applying.

Cyware Publisher