Cybercriminals have been discovered hacking more than 100 companies to access insider information about mergers and other business deals that could affect stock prices.
The group, dubbed “FIN4” in a report from the cybersecurity company FireEye, is targeting top executives, lawyers, consultants and others with private information about mergers and acquisitions, especially in the health-care and pharmaceuticals industries.
FireEye discovered the group while investigating security breaches in its corporate clients’ networks. FIN4 has been active since at least mid-2013, according to the report “Hacking The Street? FIN4 Likely Playing the Market.”
The hackers’ goals seem to be to profit from information that may cause stock prices to rise or fall dramatically in a short period.
“Access to insider information that could make or break stock prices for dozens of publicly traded companies could surely put FIN4 at a considerable trading advantage,” said the report, which was first reported by the Financial Times.
FIN4 tries to get usernames and passwords of their victims’ e-mail accounts so it can eavesdrop on real-time communications about market-moving business deals.
The group doesn’t rely on malware, but instead leverages expertise to target victims. Their phishing e-mails sometimes referenced deals targets were involved in and used language betraying knowledge of company purchasing processes, product development, investment strategies, legal concerns and regulatory standards.
According to FireEye, hackers sometimes disguise themselves by sending e-mails from another victim’s account requesting login credentials. They also trick victims with fake Outlook Web App login pages. Another one of their strategies is to steal an online document and embed a fake dialogue box that looks like the Windows Authentication prompt for users to enter their login information. When a victim tries to open a document, he or she inadvertently gives hackers login credentials.
The hackers aren’t just haphazardly breaking into e-mail accounts for major, publicly traded companies. These attacks are targeted, with repeat hacks to several parties to a single business deal.
All but three of the publicly traded companies targeted by the group are listed on the New York Stock Exchange or Nasdaq. The others are traded on foreign exchanges. About 20 percent of the targets work for firms that advise the companies, such as lawyers, scientists and consultants.
Stock prices of health-care and pharmaceuticals companies are especially sensitive to news of possible deals, clinical trials, regulatory decisions and safety issues. That’s one reason the industry is linked to high-profile insider trading cases — and why it may be especially attractive to hackers.
This isn’t the first time hackers were involved in possible insider trading. What sets FIN4 apart is the scale of their operation, targeting more than 100 companies, and also the tactic of targeting key individuals.
“FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market,” FireEye vice president of threat intelligence, Dan McWhorter, told MarketWatch.
While FireEye has not identified who is behind the attacks, it found several domains linked to the hacking. The report suggests companies block those domains, disable VBA macros and enable two-factor authentication for remote access to Microsoft Outlook e-mail.