This article originally appeared at The WHIR
Hackers familiar with the financial industry have been attacking over 100 companies in the healthcare, pharmaceutical and investment banking sectors since mid-2013. A report released by FireEye on Monday says the group it calls FIN4 focuses on gaining access to accounts of individuals that have access to insider information.
This intimate, non-public knowledge of publicly traded companies could be used to to provide an unfair advantage in the stock market and is illegal outside of Securities and Exchange Commission (SEC) regulated legal insider trading.
Hacks on US financial institutions have been prevalent this year. In October, JP Morgan reported over 76 million customer accounts were exposed through a security breach that had been undetected for months. In August, the FBI, NSA and US Secret Service Investigated Hacks at five US banks. Just last week, Sony entertainment was hacked by a group using malware. The company hired FireEye’s mandiant incident response team to clean up after the incident.
Rather than using malware, as was the case in some of the other hacks this year, FIN4 gains access to the email accounts of their targets. The group targets executive management, legal counsel, researchers and others in advisory roles. FireEye believes the hackers focus on individuals that may have information about publicly traded companies that could affect the stock price. The hackers are particularly interested in mergers and acquisitions.
Two-thirds of the over 100 targets are healthcare and pharmaceutical companies. Half of the targets are in the already volatile biotechnology sector.
“We believe FIN4 heavily targets healthcare and pharmaceutical companies as stocks in these industries can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues,” said the report. “In fact, many high-profile insider trading cases involve the pharmaceutical sector.”
The hackers are using various techniques to steal passwords.
“The group frequently employs M&A-themed and SEC-themed lures with Visual Basic for Applications (VBA) macros implemented to steal the usernames and passwords of these key individuals,” the report said. “Additionally, FIN4 has included links to fake Outlook Web App (OWA) login pages designed to capture the user’s credentials. Once equipped with the credentials, FIN4 then has access to real-time email communications—and presumably insight into potential deals and their timing.”
Once the email account is compromised the group uses it to send detailed phishing emails to contacts using wording that indicates the group is both familiar with the financial industry and likely a native English speaker.
Intimate knowledge of industry specific language and how acquisitions work gave FIN4 success in getting to potential targets despite the usual caution and security measures typical of these industries. “In several of our investigations, FIN4 targeted multiple parties involved in a business deal, including law firms, consultants, and public companies. In one instance, FIN4 appeared to leverage its previously-acquired access to email accounts at an advisory firm (“Advisory Firm A”) to collect data during a potential acquisition of one of Advisory Firm A’s clients (“Public Company A”).”
The group even uses Outlook rules to delete incoming email containing the words “hack”, “phish”, and “malware” on a compromised account. This measure may prevent the target from receiving email from colleagues that suspect a breach.
Hackers have been in the news a lot this year with Russia and China suspected in many cases. An unknown government using advanced hacking spyware attacked Russia and Saudi Arabia in November. Perhaps in response to growing threats, FireEye partnered with SingTel in October to strengthen security in the APAC region, an area highly targeted by hackers.
This article originally appeared at: http://www.thewhir.com/web-hosting-news/fireeye-discovers-hackers-targeting-wall-street-access-insider-trading-information
