Security Experts:

Connect with us

Hi, what are you looking for?



FIN4 Attack Group Targets Firms for Stock Market Profit

Researchers at FireEye have issued a report on an attack group targeting C-level executives to get insider information that could be used to gain an advantage in the stock market.

Researchers at FireEye have issued a report on an attack group targeting C-level executives to get insider information that could be used to gain an advantage in the stock market.

FireEye has dubbed the group ‘FIN4’. Since mid-2013, researchers have linked them to attacks at more than 100 companies. All of the targeted organizations are either public companies or advisory firms that provide services to those companies, such as investment banking firms and legal firms. More than two-thirds are healthcare and pharmaceutical companies.

All but three of the public companies are listed on the NASDAQ or the New York Stock Exchange (NYSE). The remaining three are listed on non-U.S. exchanges.

FIN4 Cyber Crime Group Targeted Firms

“We are able to characterize FIN4’s activity from the incidents to which we have responded in our clients’ networks, FIN4’s attempts to compromise our managed service clients, our product detection data, and further independent research,” FireEye noted in a report on the group. “Our visibility into FIN4’s activities is limited to their network operations; we can only surmise how they may be using and potentially benefiting from the valuable information they are able to obtain. However one fact remains clear: access to insider information that could make or break stock prices for dozens of publicly traded companies could surely put FIN4 at a considerable trading advantage.”

According to FireEye, FIN4 focuses heavily on getting information about discussions related to mergers and acquisitions (M&A), and targets not only executives, but also regulatory, risk and compliance personnel as well as legal counsel and others. The group frequently uses lures related to M&A activity and the U.S. Securities Exchange Commission with visual basic applications (VBA) macros implemented to steal the usernames and passwords of these key individuals.

FIN4 has also utilized links to fake Outlook Web App (OWA) login pages in order to steal the user’s credentials. Once those credentials are in hand, the group then has access to real-time email communications and possibly insight into potential deals and their timing.

“Many of FIN4’s lures appeared to be stolen documents from actual deal discussions that the group then weaponized and sent to individuals directly involved in the deal,” according to the report. “In some cases, the discussions were public knowledge and widely reported in the media, while others were still in the early exploration and due diligence phases. In one instance, we observed FIN4 simultaneously target five different organizations involved in a single acquisition discussion. The group targeted individuals at the five firms several months before the organizations’ involvement in the acquisition talks went public.”

Given the group’s knowledge of English, regulatory and compliance standards and industry knowledge, FireEye researchers believe FIN4 to be either based in the U.S. or Western Europe. 

“Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action,” said Dan McWhorter, VP of threat intelligence at FireEye, in a statement. “FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.”

FireEye recommends organizations disable VBA macros in Microsoft Office by default and block the domains associated with the attack that are listed in the report, such as ellismikepage[.]info and rpgallerynow[.]info. In addition, organizations should enable two-factor authentication for OWA and any other remote access mechanisms to prevent credentials from being stolen and leveraged by the attacker.

“Companies can also check their network logs for OWA logins from known Tor exit nodes if they suspect they are victimized,” according to the report. “Typically, legitimate users do not use Tor for accessing email. While not conclusive, if paired with known targeting by this group, the access from Tor exit nodes can serve as an indicator of the group’s illicit logins.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.