FIN4 Hackers Take Aim at Wall Street

Researchers from FireEye reveal a new hacking ring that has been targeting more than 100 financial services organizations to gain insight into non-public financial information.

security breach

An active group known as FIN4 is hacking Wall Street financial firms in a bid to gain privileged financial information about non-public upcoming market moving announcements, according to a new report from FireEye.

The FIN4 campaign began in the middle of 2013, according to FireEye. Sixty-eight percent of the companies that have been targeted are publicly traded health care and pharmaceutical companies, while 20 percent have been identified as firms that advise public companies on securities, legal, and merger and acquisition matters.

The name "FIN4" is one that FireEye chose for the group, Jen Weedon, threat intel manager at FireEye, told eWEEK. "We use the letters FIN for groups that we assess are financially motivated; it's an internal designation," Weedon explained.

At this stage, it's not entirely clear how much money the FIN4 group has stolen, though FireEye is confident the group has had significant access to valuable insider information.

"The amount of insider information they potentially have access to with all the credentials they've stolen is staggering, and would definitely give them a big leg up against an average investor," Weedon said.

The way FIN4 works is the group leverages a number of well-known attack techniques to trick users into giving up access credentials. The techniques used by FIN4 are relatively simple but effective, she said.

One of the techniques used is to "weaponize" documents. A weaponized document is one that looks legitimate but may have been stolen from another victim's inbox and may include some form of malware or Trojan virus. FIN4 sends the weaponized documents to targets that the hacker group believes have access to valuable insider financial information.

"These documents have embedded malicious macros which, if a user enters their credentials, allows FIN4 to capture the username and password of that user," Weedon said. "Then FIN4 has legitimate access to their inbox."

Often, there is no malware on the victim machine, she said, adding that FIN4 can craft very realistic messages and inject themselves into ongoing email threats in victims' inboxes, so they are using pure social engineering to get the information they seek.

The idea of using a document macro capability to execute some form of attack is not a new one. The FIN4 hackers are leveraging Microsoft Visual Basic (VBA) macros, which was the same basic attack method used by hackers in 1999 and 2000 with the Melissa and ILOVEYOU macro viruses. So far in 2014, however, multiple vendors have reported an increase in VBA macro-based malware as the old attack method mounts a comeback.

As a potential defense against the FIN4 attackers, Weedon said that disabling VBA macros in Microsoft Office by default will help. Additionally, blocking FIN4's domains, which FireEye identifies in its report, is a good best practice. Weedon also suggests that organizations enable two-factor authentication for remote Webmail access to further reduce risk.

Going a step further, Weedon said that FireEye has shared its research and findings with law enforcement.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.