Hackers have targeted the emails of top executives in more than 100 companies to steal market-sensitive information and “gain an edge in stock trading”, a report released on Monday revealed.
The group dubbed FIN4 by security researchers FireEye, targeted individuals involved in market-moving merger and acquisition (M&A) deals with tailor-made emails, mostly involved in the pharmaceutical and healthcare sector. The information could “make or break a stock price”, FireEye said.
Read More CEOs beware of ‘dark hotel’ hackers
FIN4 sends an email related to the M&A deal or even pretending to be the U.S. Securities and Exchange Commission (SEC) to people involved in the transaction. A document is attached to the email. When the document is opened, the target is required to enter their email account details and in this way, the criminals were able to steal login credentials.
“Many of FIN4’s lures appeared to be stolen documents from actual deal discussions that the group then weaponized and sent to individuals directly involved in the deal,” FireEye said in the report.
“We’ve seen the actors seamlessly inject themselves into email threads. FIN4’s emails would be incredibly difficult to distinguish from a legitimate email sent from a previously compromised victim’s email account.”
FIN4 has been operating since mid-2013 and are most likely U.S. based, FireEye said. All but three of the public companies targeted in the email hack are listed on the New York Stock Exchange or NASDAQ, with the remaining three listed on non-U.S. exchanges, the cybersecurity firm added.
FireEye noted that after information about a deal that FIN4 knew about went public, the stock “varied significantly” and that it is likely the group “used the inside information they had to capitalize on these stock fluctuations”.
To evade detection, FIN4 created a process in victims’ Microsoft Outlook email accounts that automatically deleted any emails that contained words such as “hacked” or “malware”. This prevented victims from receiving emails from other targets warning them that their account might be compromised.
On top of this, the hackers used the Tor network – a software that enables users to browse the internet anonymously – to access their target’s accounts.
FireEye said that this group as different as it used targeted email attacks rather than malware, but the U.S. researchers said they “cannot say for certain what happens” once FIN4 gets access to insider information.
“What we can say is that FIN4’s network activities must reap enough benefit to make these operations worth supporting for over a year—and in fact, FIN4 continues to compromise new victims as we finish this report,” FireEye noted.