Hackers hit execs for insider info to gain stock market advantage

FireEye’s researchers have identified yet another hacking group. Dubbed FIN4, the hacking crew seems to be comprised of native English speakers with “deep familiarity with business deals and corporate communications, and their effects on financial markets.”

Their targets are top executives, legal counsel, outside consultants, regulatory, risk, and compliance personnel, advisors and researchers who are believed to have inside knowledge about potential mergers and acquisitions, deals and new research results.

Operational since at least mid-2013, the group has targeted these individuals in over 100 publicly traded companies and advisory firms, the majority of which are in the healthcare and pharmaceutical industries.

“We believe FIN4 heavily targets healthcare and pharmaceutical companies as stocks in these industries can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues,” the researchers shared.

Their weapons of choice are extremely well crafted and personalized spear-phishing emails that are meant to lead recipients to phishing pages impersonating the Outlook Web App login page and trick them into sharing their Microsoft Outlook login credentials.

“FIN4 knows their targets. Their spearphishing themes appear to be written by native English speakers familiar with both investment terminology and the inner workings of public companies,” the researchers explained in a whitepaper published on Monday.

“FIN4 uses their knowledge to craft convincing phishing lures, most often sent from other victims’ email accounts and through hijacked email threads. These lures appeal to common investor and shareholder concerns, enticing the intended victims into opening the weaponized document and entering their email credentials.”

The weaponized documents they are talking about are stolen mergers & acquisitions- and SEC-themed Office documents with embedded Visual Basic for Applications (VBA) macros, meant to steal the targets’ Microsoft Outlook usernames and passwords.

“FIN4 also uses existing email threads in a victim’s inbox to spread their weaponized documents. We’ve seen the actors seamlessly inject themselves into email threads,” the researchers explained. “FIN4’s emails would be incredibly difficult to distinguish from a legitimate email sent from a previously compromised victim’s email account. The actors have also Bcc’d all recipients, making it even more difficult for recipients to decipher a malicious email from a legitimate one.”

Here’s how a typical attack looks like (click on the screenshot to enlarge it):

By using such believable phishing emails, and by using the harvested login credentials to simply peruse the targets’ communication exchanges, the attackers have made it difficult for companies to spot the intrusions. In addition to this, they also create a rule in victims’ Microsoft Outlook accounts that automatically deletes any emails that contain words such as “hacked”, “phish”, or “malware”, so that even if another target suspects the sender of the email has been compromised, it will be difficult to inform him of these suspicions via email.

The researchers say that the attackers’ goal seems obvious: gain insider knowledge about things that affect the companies’ stock price or future revenue, and act upon that information in a way that would earn them money.

As the attacks are still ongoing, the researchers advise organizations’ network defenders to disable VBA macros in Microsoft Office by default (if possible), block a number of C&C domains currently in use (listed in the whitepaper), and enable two-factor authentication for OWA and any other remote access mechanisms.

“Companies can also check their network logs for OWA logins from known Tor exit nodes if they suspect they are victimized. Typically, legitimate users do not use Tor for accessing email. While not conclusive, if paired with known targeting by this group, the access from Tor exit nodes can serve as an indicator of the group’s illicit logins,” they pointed out.