FireEye suspects FIN4 hackers are Americans after insider info to game stock market

FireEye suspects FIN4 financial hackers are Americans, who have targeted over 100 firms, in order to steal insider info to make or to break stock market prices.

FireEye cyber attack map
Credit: FireEye

FireEye revealed that over 100 firms have been attacked via their email accounts since mid-2013 by Wall Street-wise hackers out to play the stock market with pilfered insider info; while not naming the victims, FireEye said most are pharmaceutical and healthcare companies. Victims also include investment bankers, attorneys, researchers, scientists, regulatory and compliance personnel, people in advisory and risk roles, C-level executives, senior leadership and others who "regularly discuss confidential, market-moving information.”

FIN4 targets FireEye

This time the attackers are not Chinese, Russian or North Korean nation-state hackers, but native English speakers. “We suspect they are Americans, given their Wall Street inside knowledge,” Jen Weedon, FireEye’s manager of threat intelligence told Bloomberg. “They seem to have worked on Wall Street.”  FireEye calls the hackers “FIN4” because of their focus on the financial sector.  

The attackers could also be “Western Europeans who have worked in the investment banking industry here in the United States," Weedon told the New York Times. It’s “hard because we don't have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads.”

Unlike Advanced Persistent Threat (APT) groups that use malware to suck out every last drop of data in hopes of it providing something valuable to be determined at a later time, FIN4 has one objective: “to obtain an edge in stock trading.” FireEye reported, “FIN4 appears to conduct intrusions that are focused on a single objective: obtaining access to insider information capable of making or breaking the stock prices of public companies. The group specifically targets the emails of C-level executives, legal counsel, regulatory, risk, and compliance personnel, and other individuals who would regularly discuss confidential, market-moving information.”

“FIN4 knows their targets,” the report (pdf) said. “In order to get useful inside information, FIN4 compromises the e-mail accounts of individuals who regularly communicate about market-moving, non-public matters.” The spearphishing emails are written in flawless English and are “most often sent from other victims’ email accounts and through hijacked email threads. These lures appeal to common investor and shareholder concerns, enticing the intended victims into opening the weaponized document and entering their email credentials.”

An example of FIN4's phishing bait combining social engineering into an email that verily screams "open me," included the subject line of "employee making negative comments about you and the company," allegedly sent from a trusted client.

68% of the targets are publicly traded healthcare and pharmaceutical companies; 20% are firms advising on securities, legal and merger and acquisition matters. 12% targeted by FIN4 are publicly traded companies. Since more than two-thirds of the targeted organizations are healthcare and pharmaceutical companies, FireEye said, “FIN4 probably focuses on these types of organizations because their stocks can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues.”

FIN4 healthcare targets FireEye

"Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action," said Dan McWhorter, FireEye’s vice president of threat intelligence. “FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market."

FireEye released indicators to help organizations detect activity from the FIN4 threat group.

97% of firms breached for 229 days before discovery: FireEye on 60 Minutes

FireEye is popping up in the news all over the places, from FireEye’s Mandiant being hired by Sony after it was hacked, to being featured in a 60 Minutes episode during which correspondent Bill Whitaker dug into “What happens when you swipe your card?”

After mentioning that 2014 is going down as the “year of the data breach,” FireEye CEO Dave DeWalt said that despite large companies spending more on cybersecurity, "literally 97% of all companies are getting breached." DeWalt added, “Just accept” that breaches are “inevitable.”

“On average the breaches from the time of infection, from when the bad guys get in to the time they are discovered, is a whopping 229 days," said DeWalt. "Forensic investigations reveal that 80% of security breaches involve stolen and weak passwords. One of the most common is: 123456.”

After a company is breached, the stolen credit card numbers sell for $10 - $50, “depending on things like the expiration date, or the credit limit.” The crooks even offer a guarantee. Brian Krebs, of Krebs on Security, told 60 Minutes, “If you buy from them and it comes back as declined, they'll automatically credit the amount that you bought for that card cost. So they'll automatically credit your account.” Krebs added, “If you buy a card for 20 bucks and you can make 400 dollars off each card, that's a pretty good return on your investment.”

If you have 13 minutes to spare, you can watch the 60 Minutes segment embedded below.

The brave new world of Windows 10 license activation
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies