The SEC is investigating reports of a slightly different form of hacking – get insider trading information and use it yourself. Insider trading, of course, has been around as long as there is trading. But, what if, the insider trading was occurring from half way around the globe and no insiders were involved?
FireEye, as part of their client work, has discovered that hackers are spear phishing C-level executives – you know, the ones who send and receive sensitive insider information on sales and M&A deals on email – and the hackers are using it for themselves.
The group, which FireEye calls FIN4, was disclosed in a report last year. Now, both the SEC and Secret Service are investigating. They have talked to at least 8 publicly traded companies according to an article on Dark Reading.
If you think about it, it is a perfect crime. If you hack someone’s email they likely will never know about it – unless you are stupid. If you have the right mailboxes, you get some pretty interesting information.
Since most C-Levels don’t encrypt their email (including the ones who still – yes, really – have their admins print out their emails for them), if you get their password you are in. Also, most C-Levels don’t require two factor authentication to access their email, making life simple for the attackers.
So now, what do you do? You have a group, scattered around the globe, that buys and sells stocks, probably on margin, in small blocks – say less than 10,000 shares – with different brokers. For example, 50 people x 10,000 shares x $10 up swing = $5 million profit on one trade. If you can get away with leveraging blocks of 100,000 shares, in that same deal you make $50 million.
As I have said for a long time: PIGS GET FAT, HOGS GET SLAUGHTERED. If you get too piggy, you will get caught.
However, in corporate America, there is no end of targets to attack. And the model is VERY easy to replicate. You could probably do it yourself, in your own name, and make a very comfortable living.
Oh yeah – who would be the juiciest target – attorneys, accountants, financial advisors, etc. THE ADVISORS WOULD LIKELY NEVER KNOW.
In theory, the company isn’t harmed, so they don’t really care.
Seems like a pretty interesting gig.