Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FIN4 Attack Group Targets Firms for Stock Market Profit

Researchers at FireEye have issued a report on an attack group targeting C-level executives to get insider information that could be used to gain an advantage in the stock market.

Researchers at FireEye have issued a report on an attack group targeting C-level executives to get insider information that could be used to gain an advantage in the stock market.

FireEye has dubbed the group ‘FIN4’. Since mid-2013, researchers have linked them to attacks at more than 100 companies. All of the targeted organizations are either public companies or advisory firms that provide services to those companies, such as investment banking firms and legal firms. More than two-thirds are healthcare and pharmaceutical companies.

All but three of the public companies are listed on the NASDAQ or the New York Stock Exchange (NYSE). The remaining three are listed on non-U.S. exchanges.

FIN4 Cyber Crime Group Targeted Firms

“We are able to characterize FIN4’s activity from the incidents to which we have responded in our clients’ networks, FIN4’s attempts to compromise our managed service clients, our product detection data, and further independent research,” FireEye noted in a report on the group. “Our visibility into FIN4’s activities is limited to their network operations; we can only surmise how they may be using and potentially benefiting from the valuable information they are able to obtain. However one fact remains clear: access to insider information that could make or break stock prices for dozens of publicly traded companies could surely put FIN4 at a considerable trading advantage.”

According to FireEye, FIN4 focuses heavily on getting information about discussions related to mergers and acquisitions (M&A), and targets not only executives, but also regulatory, risk and compliance personnel as well as legal counsel and others. The group frequently uses lures related to M&A activity and the U.S. Securities Exchange Commission with visual basic applications (VBA) macros implemented to steal the usernames and passwords of these key individuals.

FIN4 has also utilized links to fake Outlook Web App (OWA) login pages in order to steal the user’s credentials. Once those credentials are in hand, the group then has access to real-time email communications and possibly insight into potential deals and their timing.

“Many of FIN4’s lures appeared to be stolen documents from actual deal discussions that the group then weaponized and sent to individuals directly involved in the deal,” according to the report. “In some cases, the discussions were public knowledge and widely reported in the media, while others were still in the early exploration and due diligence phases. In one instance, we observed FIN4 simultaneously target five different organizations involved in a single acquisition discussion. The group targeted individuals at the five firms several months before the organizations’ involvement in the acquisition talks went public.”

Given the group’s knowledge of English, regulatory and compliance standards and industry knowledge, FireEye researchers believe FIN4 to be either based in the U.S. or Western Europe. 

Advertisement. Scroll to continue reading.

“Advanced threat actors conducting attacks to play the stock market to their advantage has long been a worry but never truly seen in action,” said Dan McWhorter, VP of threat intelligence at FireEye, in a statement. “FIN4 is the first time we are seeing a group of very sophisticated attackers actually systematically acquire information that only has true value to a criminal when used in relation to the stock market.”

FireEye recommends organizations disable VBA macros in Microsoft Office by default and block the domains associated with the attack that are listed in the report, such as ellismikepage[.]info and rpgallerynow[.]info. In addition, organizations should enable two-factor authentication for OWA and any other remote access mechanisms to prevent credentials from being stolen and leveraged by the attacker.

“Companies can also check their network logs for OWA logins from known Tor exit nodes if they suspect they are victimized,” according to the report. “Typically, legitimate users do not use Tor for accessing email. While not conclusive, if paired with known targeting by this group, the access from Tor exit nodes can serve as an indicator of the group’s illicit logins.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.