Hackers Use Wall Street Lingo to Breach Health Care Companies’ Emails

04 December, 2014

FireEye, a Silicon Valley security company, recently released a report shedding light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where data on clinical trials, regulatory decisions or safety and legal issues can significantly affect a company’s stock price.

For more than a year, a group of cybercriminals, which Fire Eye has dubbed “Fin4” because they are one of several groups that hack for financial gain, has been pilfering email correspondence from more than 100 organizations—most of them publicly traded health care or pharmaceutical companies—apparently in pursuit of information significant enough to affect global financial markets.

The attackers appear to be native English speakers, based in North America or Western Europe, who are well versed in the Wall Street vernacular and can inject themselves seamlessly into email threads. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ.

Some senior executives have been duped into clicking on links apparently sent from the accounts of longtime clients. In other cases hackers posed as an adviser to one of two companies in a potential acquisition. In several instances, attackers used confidential company documents, which they had previously stolen, as aids in their deception. In others the attackers simply embedded generic investment reports in their emails.

In each case, the links or attachments redirected their victim to a fake email login page, designed to steal the victim’s credentials so that the attacker could login to their email and read the contents.

Unlike other well-documented attacks originating in China or Russia, the attackers do not use malware to crawl further and further into an organization’s computer servers and infrastructure. They simply read a person’s emails and set rules for the infiltrated inboxes to automatically delete any email that contains words such as “hacked,” “phished” or “malware,” to increase the time before their victims learn their accounts have been compromised.

“Given the types of people they are targeting, they don’t need to go into the environment; the senior roles they target have enough juicy information in their inbox,” said Jen Weedon, a FireEye threat intelligence manager. “They are after information protected by attorney-client privilege, safety reports, internal documents about investigations and audits.”

Half of the affected companies fall into the biotechnology sector, including companies that sell medical devices or manufacture drugs and diagnostic devices, as well as health care providers and health care planning services.

This blog post was adapted from an article by Nicole Perlroth, which appeared in the New York Times on December 1, 2014.

Learn more about protecting intellectual property in the borderless enterprise: 

Learn More