Cybercriminals turn talents to stock market manipulation

Insider trading has been taken to a whole new level.


Hackers have begun to use their skills to go after a target far more lucrative than the average brick-and-mortar retailer — instead, researchers have discovered cybercriminals tampering with the stock market.

A number of high-profile cyberattacks have dominated the headlines this year. US retailer Target suffered a debilitating data breach last year resulting in millions of customer credit cards being compromised, and Staples is currently investigating a security breach that struck stores in October.

The theft of credit card data can lead to cloned cards and fraudulent transactions, identity theft or deals on the black market — but for some cybercriminals, the real honeypot is the stock market. Therefore, their skills are now being set against corporate networks belonging to publicly traded companies, in the hopes of stealing valuable information that could give them a jump on investments.

According to a new report released by security firm FireEye, Hacking The Street? FIN4 Likely Playing the Market, a team of native English-speakers are conducting insider trading with a difference. The FIN4 hacking team, which apparently have "extensive knowledge of the nuances in industries they targeted as well as financial practices," have been observed collecting information from nearly 100 publicly traded companies and their advisory firms in order to play the stock market.

Dan McWhorter, VP of threat intelligence at FireEye commented:

Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action. FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.

FIN4 seems particularly interested in "impending market catalysts," whether it be mergers, financial changes or acquisitions. These events can dramatically change a company's stock value, and so if this information is gained ahead of time, the team has an opportunity to play the market and generate a tidy profit.

Read this

The 12 scams of Christmas

What scams and schemes do you need to watch out for during the holiday season?

Read More

The group specifically targets the emails of C-level executives, legal counsel, regulatory, risk, and compliance personnel, as well as other individuals who may be involved in confidential talks. Eschewing the use of malware, FIN4 instead relies on high-level social engineering tactics and document weaponisation.

One tactic the team often uses is embedding VBA macros into Office documents to display fake authentication prompts in order to steal user credentials.

The FireEye team believe FIN4 originates from either the United States or Europe, due to the use of English colloquialisms and the deep understanding of industry, regulatory and compliance standards demonstrated by the FIN4 team. The report says:

Their spearphishing themes appear to be written by native English speakers familiar with both investment terminology and the inner workings of public companies. FIN4's phishing emails frequently play up shareholder and public disclosure concerns.

The Tor network is used to disguise individual identities.

Since mid-2013, roughly 100 companies have been targeted. Over two-thirds are healthcare and pharmaceutical companies, probable due to the rapid movement of stocks in these industries in relation to clinical trials, regulatory changes and legal issues.

Additional information is below.

Report | Indicators

Read on: In the world of security