Skip navigation
industry news

Targeting the Stock Market: Biotech Industry Info Phished

Phishing attacks and unauthorized users are becoming harder to detect as attackers get smarter. With a focus on Wall Street and the financial sector, attackers appear to be more strategic and skilled in their approach, choosing to target advisory and consulting firms that support the industry.

And even more strategically, they’re specifically targeting healthcare and pharmaceutical companies in order to affect stock prices in a big way.

A recent report released by FireEye on the attack group referred to as FIN4 finds that 68 percent of the companies targeted were comprised of healthcare and pharma companies. And of those 60 publicly traded companies, 50 percent were in the biotechnology industry.

But why the healthcare industry? According to the report, healthcare industry stocks fluctuate significantly with public announcements of clinical trial results, regulatory decision and safety/legal issues. Many high-profile insider trading cases also involve the pharma sector, while information of interest includes drug development, insurance reimbursement rates and pending legal cases.

They also report attacks against third-parties like healthcare payers (insurance carriers like Medicaid) whose rebate decisions and purchasing power dictate a healthcare company’s earnings, which could inform attackers about future revenue and stock prices.

Plus, attackers can easily take advantage of the poor cybersecurity practices within the healthcare industry, which can be attributed to a number of reasons as a report by BitSight Technologies listed in Will Healthcare Be the Next Retail?

  • Unlike financial institutions, the healthcare and pharma companies don’t view cybersecurity as a strategic business issue - more so a compliance issue.
  • In striving to only spend enough to be compliant with patient data regulations like HIPAA, they don’t allocate enough resources to actually protect their data, partly because cybersecurity hasn’t received executive-level attention.
  • As a result, the healthcare and pharma companies rank the lowest in compensation for information security staff, as Ponemon’s 2013 Salary Benchmark Report found, reported by BitSight.

How do they do it? FIN4 sends convincing and custom phishing emails to top-level executives, targeting researchers, security officers and legal counsel. The reports that they appear to be written by “native English speakers...who are well-versed in the Wall Street vernacular.”

One example of an email contained concerns of the “disclosure” of “confidential company information regarding pending transactions,” meant to target publicly-traded companies and trigger alarm in investors and shareholders. These emails have also been known to contain links to fake OWA login pages that steal user credentials.

Another way they steal credentials is by embedding VBA (Visual Basic for Applications) macros into a stolen Office document displaying a dialog box that mimics the Windows Auth login prompt, telling users that their session had timed out and required them to log in again. The credentials are then sent (over Tor) to a Command & Control (C2) server controlled by the group, which they use to log into the user’s email account (also over Tor - find out more about how Tor works in Duo Tech Talks: Encryption Works: A Look at Tor and SecureDrop).

With access to email accounts, the attackers have also created custom filters that automatically delete any emails with the keywords hacked, phished, malware, etc. in order to avoid detection.

What should companies do to secure access to their applications, data and networks? FireEye reports that the simplicity of their tactics can make their activity difficult to detect - no malware, while the use of valid credentials seems legitimate. They recommend a few ways to secure against these types of attacks, including:

  • Disabling VBA macros in Microsoft Office by default
  • Blocking domains listed in their report (found to be Command & Control (C2) domains that are used to collect credentials; nine found so far)
  • Enabling two-factor authentication for OWA and any other remote access mechanisms
  • Check network logs for OWA logins from known Tor exit nodes

Find out more about protecting Microsoft remote access points in Two-Factor Authentication for Microsoft, including protection for Outlook Web App (OWA), Remote Desktop (RDP), and Threat Management Gateway (TMG).