Hacker Group Seeks Wall Street Insider Information
More than 100 public companies that almost all are listed on New York Stock Exchange or Nasdaq were attacked by a group of hackers who are stealing private company data in order to gain insider information that could influence stock prices and to gain better odds at trading stock.
The group is using sophisticated well written phishing attacks to snatch email credentials while specifically targeting pharmaceutical and healthcare organizations, as well as their advisory firms. The moment hackers get access to an email account that belongs to an executive, legal advisor, outside consultant or researcher, they are able to obtain insider information they need.
A report from researchers at FireEye has been released on this group which was named FIN4. One of the researchers a threat intelligence manager Jen Weedon said that the group has been active since middle of 2013 and seemingly are American due to proper use of English and exhaustive knowledge on Wall Street. Weedon said that there is no indication of standard APT style nation-state association. She also said that it looks like these hackers are possibly people who worked on Wall Street before and does not seem like career criminals.
According to the report more than 100 companies have been attacked by this hacker group, of which 68 percent were involved in pharmaceutical and healthcare industries and other 20 percent that work in an advisory capacity, counseling on legal questions, security and other issues regarding merger and acquisition (M&A) activities. FireEye has informed all organizations that have been compromised by the attackers. Nonetheless, the FIN4 group is yet at large and active as Weedon said that there were a new command and control server discovered after the FireEye has published their report.
FireEye said that the group has managed to evade detection by using Tor for communications, moving data and logging into compromised email accounts. A total of nine command and control server domains have been discovered by FireEye.
The FIN4 group is not using any malware for their attacks, alternatively they are using phishing emails to lure shareholders and investors with elaborate bait such as revelation of confidential information. In most researched cases a Microsoft Office document was attached that contained a Visual Basic Application which calls a fake Outlook dialog box requesting for user to enter credentials. In a few other cases when VBA macros were disabled, the user receives a link to a bogus Outlook Web Access page.
Frequently, the bait appeared to be documents stolen from other victims that were involved in the same M&A deal, providing a high level of authenticity for the attack. The moment the attackers get access to email account they can get all the information they are looking for and not only that, but also steer the discussion in an advantageous way for them by participating in the discussion. FireEye also reports that they have found Outlook rules that have been put into practice on victims accounts that would route message to Deleted folder if it would contain keywords such as phishing, hacked, malware and more.
The specific aim on pharmaceutical and healthcare organizations is supposedly due to the fact that the fluctuation of stock price in those industries are rapid and trading stock with insider information can bring huge profits.
It is evident that it might be hard to protect yourself from a well constructed phishing email, however we can prevent attackers from sniffing on your online activity by using VPN to encrypt your internet traffic. NordVPN’s main purpose has always been users’ privacy and thus we keep no logs to prevent your information from being leaked.