100 Dealmaking Firms Hit in Widespread FIN4 Phishing Assault

A sophisticated ring of cyber criminals is applying social engineering methods to target dealmakers, apparently trying to steal sensitive M&A information.

2 December 2014


A sophisticated ring of cyber criminals is applying social engineering methods to target a broad swathe of dealmakers, apparently trying to pry loose sensitive mergers and acquisitions information.

During the past year, the organization, dubbed “FIN4,” has hacked into more than 100 companies and investment advisory and law firms, says the Financial Times. Over two-thirds of the targeted firms are in the pharmaceuticals industry, the article notes, citing a research report from FireEye Inc., a cybersecurity firm.

Hackers Target Dealmakers

The phishing targets are typically high-level U.S.-based company executives, or members of corporate development teams, often in M&A discussions. FIN4 sends emails, written in English, and embedded with malicious links and downloads, to steal their victims’ email passwords. The downloads even have the ability to intercept and delete incoming emails that might alert people of being hacked.

The hackers next access email accounts and steal insider M&A data, as well as drug trial and Medicare reimbursement policy information. All these data types could affect the targets’ stock prices, suggests the FT.

It’s unclear just who is behind the hacks, according to FireEye. However, FIN4 appears to understand Wall Street’s inner workings. As many as five organizations per deal are hacked — allowing the hackers to get an idea of a given deal’s potential success, claims the FT. Also, to dupe the targets into clicking on the malicious links, the emails refer to Securities and Exchange Commission information, or claim to have information subject to attorney-client privilege.

Wall Street Hack Attacks a Natural Progression

Unfortunately, this assault may be a sign of the future. “I think this type of attack will become more common as criminals shift their attention from stealing money to stealing data,” says Mushegh Hakhinian, chief security architect at Intralinks. “Since the targets of phishing are people, there are no direct technical measures of protection. As the saying goes: ‘People cannot be patched.’”

Additionally, he points out: “Board level executives are perfect targets for spear phishing attacks. Their biographies and most of their work and achievements are usually public. They have the power to overrule security protocols and usually give their assistants access to their email accounts.”

Two-Factor Authentication Mitigates Enterprise Risk

However, Mushegh offers some suggestions for a chief information officer or chief information security officer to prepare for such attacks. He notes there are risk-based solutions that are easy to use and don’t compromise on security.

One such technique is risk-based two-factor authentication (2FA). This type of solution evaluates the risk at the time of transaction (e.g., during login to email) based on past behavior, and the access device used. If the risk is above a pre-set threshold, then the user must enter other authentication factors. Merely knowing just the password is not enough. Even if the victim clicked on the FIN4 link and compromised the email account, the hacker would need a secondary authenticator to gain access.

“I would recommend anyone affected to check with their providers, see if strong authentication is available, and to turn it on immediately,” says Mushegh. “For the longer term, let's hope this attack will have a silver lining and strong authentication will become a table stakes requirement when choosing online providers.”

Education and VDRs Keep M&A Secure

Historically, deal information is more likely to be intentionally leaked by the parties involved — and not stolen by an outsider, says research from Intralinks and the Cass Business School, City University London. Nevertheless, security around the deal must be strong. That’s because dealmakers have always faced the threat of unscrupulous opportunists looking to unfairly exploit confidential data, Intralinks’ Vice President of M&A Strategy and Product Marketing Matt Porzio points out.

“People looking to tamper unethically with a deal have gone so far as to monitor the movements of the CEOs involved in the negotiations,” says Matt. “These people monitor whom the CEOs meets with. They even look at the travel plans of the bankers involved. They’ll scout out the physical data room location — typically, this is a site where a conference room has been rented out, and where the physical log book is kept.”

It’s likely that the most effective protection from these types of attacks is security education — and at the highest corporate levels. Senior executives, lawyers and M&A professionals require heightened awareness of phishing and other social engineering tactics.

And there are existing technology solutions to further safeguard M&A data. As Matt says: “Luckily, technology can offer protection — a purpose-designed virtual data room (VDR) can be a buffer against malicious activity during the crucial due diligence phase of a deal.”

Marc Songini

Marc Songini

Marc Songini has worked in the information technology field for more than 16 years. His roles have included those of journalist, analyst, and marketing communications specialist. He admits that when he started out as a cub high tech reporter, Netscape was still rocking the industry with a wondrous new user interface called a “browser.” During his 10 years with International Data Group (IDG), Marc wrote for NetworkWorld and Computerworld, both award-winning magazines. Marc specializes in cloud, enterprise apps, and figuring out the meaning of being human in an automated world.