Compliance Management, Incident Response, Privacy, TDR

FIN4 group infiltrates email, to game stock market, report says


A group dubbed FIN4 has positioned itself to gain an edge in stock trading using unusually savvy social engineering to infiltrate the email of executives at more than 100 companies to gain insider information that could impact stock prices, according to researchers at FireEye.

While the group began its shenanigans in 2013, FireEye “started to track them more in depth a couple of months ago,” Jen Weedon, threat manager at FireEye, told 

Combining a number of perspectives — including incident response information gathered from clients and “high level independent research” — FireEye has been able to “piece together” FIN4's activities, Weedon said.

Based on the findings, FIN4 seems to have intimate knowledge of Wall Street and how business deals are executed, pulling “on specific executive concerns,” she noted. 

“We haven't seen that level of social engineering beforem,” Weedon added.

The group “attacks” targets exclusively through email, compromising the accounts of those, such as legal counsel, executives, and outside consultants, who have non-public information on mergers and acquisitions and major marketing moves. 

FIN4 doesn't attempt to infect targets with malware, but rather, using “sophisticated phishing schemes," aims to obtain usernames and passwords that will allow them to access targets' email accounts. 

“They take a legitimate document and weaponize it,” Weedon said. "They can then view private correspondence and “start injecting themselves into the conversation.”

The scheme is particularly hard to detect because it does not involve malware and because the weaponized documents are recognized by victims as documents that they have worked on or are legitimate parts of correspondence among participants in a deal or marketing move. 

FireEye feels certain that the bad actors behind the effort are attempting to manipulate the market. 

“There's no other alternative that we can think of that they can do than to game the system,” said Weedon, who noted that the sophistication and specificity of the social engineering indicates that the miscreants are or were likely Wall Street insiders or were in investment banking.

FireEye can't determine if the information garnered has been used to cheat the system — or to what extent, the company noted that 68 percent of the targeted companies are publicly traded healthcare and pharmaceutical entities. 

The security firm has turned its findings over to law enforcement authorities and “the ball is in their court,” said Weedon. 

While the infiltration is difficult to detect because FIN4 “doesn't drop malware on victims,” Weedon said there are a couple of ways companies can protect themselves. 

“IT can disable macros by default,” she said. And, FireEye “has issued indicators” to help companies spot FIN4 activity.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.