A group of attackers are targeting Wall Street and biotech companies in a likely attempt to play the stock market.
Named “Fin4”, it has been observed collecting information from nearly 100 publicly traded companies, their advisory firms and all parties who handle insider information. According to the research by FireEye, over two-thirds of the targeted organisations are healthcare and pharmaceutical companies and they are likely being targeted as their stocks can move dramatically in response to news of clinical trial results, regulatory decisions or safety and legal issues.
However Fin4 does not utilise malware, and instead relies heavily on highly targeted social engineering tactics and deep subject matter expertise to deliver weaponised versions of legitimate corporate files. This has allowed them to evade traditional detection and attribution.
Dan McWhorter, VP of threat intelligence at FireEye, said FIN4 is the first time it is seeing a group of very sophisticated attackers systematially acquiring information that only has true value to a criminal when used in relation to the stock market.
It found that while FIN4 has highly advanced techniques for breaking into an organisation, stolen login credentials were shown to be transferred to FIN4 servers in plain text while the operators themselves use TOR to mask their locations and identities. FireEye said that FIN4 has only been in operation since 2013 but requently targets: C-level executives and senior leadership; legal counsel; regulatory, risk and compliance personnel; researchers; scientists and people in other advisory roles at over 100 companies.
Typically FIN4 organises the targets of their activity with over 70 unique “campaign codes” to designate the employer of the individuals they target, or in some cases, the generic roles the targeted individuals play within that organisation. These campaign codes function as labels that FIN4 uses to identify the origin of usernames and passwords stolen from their targets. These campaign codes are transmitted to FIN4’s command and control servers along with stolen credentials.
Philip Whitchelo, vice president of strategy and product marketing at Intralinks, said that the report shows the importance of not clicking on links or URLs in email messages from people outside your organisation, or from people you do not know or trust.
He said: “Even when people use email to discuss M&A projects, it is essential to ensure that non-obvious code names are used in all email communications to mask the identity of the companies involved – Intralinks recently performed an analysis of project names used in M&A transactions and found that the most common code names for M&A transactions were Eagle, Phoenix, Atlas, Falcon and Alpha, and that the top 10 most frequently used code names accounted for three per cent of all deals.
“It was also much more likely that the name of the client or target in an M&A deal shared the same first letter as the code name. Overuse of the same code names for M&A deals and use of code names whose first letter is the same name as the client or target in a deal can compromise security, by, for example, increasing the possibility of confidential information being sent to the wrong person or enabling hackers to be able to more easily guess the names of th
e companies involved when they have access to other partial information about a deal.”
Mushegh Hakhinian, chief security architect at Intralinks, said: “Board level executives are perfect targets for spear phishing attacks (a more sophisticated phishing targeting specific people). Their biographies and most of their work and achievements are usually public. They have the power to overrule security protocols (like not using that annoying two factor authentication for login) and usually give their assistants access to their online accounts. Few measures, other than not clicking the links, can protect the users.”
