For more than a year, a group of cybercriminals has been targeting more than 100 companies in an attempt to steal information that could affect global financial markets.
FireEye, a security company, recently published a report on the group, which it has dubbed “FIN4.”
The report explains how FIN4 has been using sophisticated spearphishing techniques to trick executives, lawyers, and consultants into handing over their credentials to their email accounts.
Thus far, 68% of the group’s targets have been personnel from publically traded health care companies. However, advisers and enterprises from other sectors have also been hacked.
Jen Weedon, FireEye’s manager of threat intelligence, suspects that the hackers, judging from the nature of their phishes, have a deep knowledge of Wall Street and are native English speakers, possibly American.
Weedon therefore believes that FIN4 is not interested in using malware to corrupt corporate networks.
“It appears to me that these guys are stealing information that would give them a leg up in the stock market,” Weedon said in an interview.
Ken Westin, Sr. Technical Marketing Manager and Security Analyst at Tripwire, has also made this observation: “The group is not leveraging complex hacking techniques to gain access to sensitive data. They are going after the weakest link in the security chain: people. Given the targets and the data compromised, you could call this white-collar cybercrime because the goal appears to be industrial espionage.”
Once they have successfully acquired a target’s login credentials, the hackers use Tor to access the target’s email account and sniff around for useful information, all the while deleting any security notifications that might otherwise warn the target that their account has been breached.
FireEye has handed over its information to the FBI for further investigation.
In the meantime, companies can protect themselves against FIN4, as Westin explains: “Since there is generally no valid reason an employee would log into corporate systems using Tor, all they have to do is flag all the Tor exit node IP addresses in their IPS systems.”