On Sunday, Nov. 30, security consulting firm FireEye published a report on the current hacking efforts of a group dubbed FIN4. FIN4 has targeted more than 100 organizations, 68 percent of them publicly traded healthcare and pharmaceutical companies, stealing non-public information for illicit trading advantage. Additional targets include law firm partners and M&A consultants privy to proprietary information on imminent merger and acquisition transactions or other non-public, market-moving developments.
FIN4 uses a spearphishing strategy, sending targeted emails to executives and convincing them to provide their email account login credentials, such as through macros embedded in attached documents that generate what appear to be legitimate system alerts of timed-out Outlook sessions, requiring a fresh login by the user. Once FIN4 hackers have the login credentials for an executive’s email account, they gain access to confidential information, along with the ability to launch further phishing messages to other targets from the compromised account.
And in an ironic twist, FIN4 also establishes rules in such executives’ email accounts to automatically delete any incoming messages containing “hacked,” “phish,” “malware” or other words warning that the user’s account may have been compromised. FireEye notes that FIN4’s spearphishing messages appear to be written by native English speakers with a sophisticated familiarity for deals and public company concerns, making such messages more compelling lures for the unsuspecting executives.
FIN4 Lessons Learned:
- Don’t “Outsource” Data Security to IT: Data security is not merely the job of the IT department (or of the organization’s security officer). It’s everyone’s responsibility. While FIN4 reminds us of important technical safeguards (such as multi-factor authentication where appropriate, disabling VBA macros in Outlook, and blocking domains known to be used by hackers such as FIN4), the FIN4 strategy involves no injection of any malware to be detected by system security scans. Instead, many forms of cyber attack, such as FIN4’s spearphishing methods, are designed to exploit human security vulnerabilities. We are the weak link.
- Raise Data Security Awareness of the Workforce – Including the C-Suite: Organizations should provide data security workforce training, but just as important, there should be an ongoing awareness campaign, with periodic reminders of data security tips and techniques, especially on access controls such as strong passwords, and how to recognize phishing and other social engineering attacks. And upper management is not exempt – in fact, as with FIN4, the C-suite may indeed be the target.
- Slow Down, be Skeptical, and Verify: Phishing and other forms of social engineering play upon our haste in life and the workplace – we often simply don’t take the time to listen as our inner voice tells us “there’s something not quite right about this!” So, slow down just a notch as you field your incoming messages on a desktop or mobile device. Apply a healthy dose of skepticism, instead of simply assuming the bona fides of the sender. Remember, spearphishers may have done a surprising amount of homework to convey familiarity and trustworthiness. If sensitive information is requested, separately and independently confirm the request is legitimate, and use your own, secure means of providing the information. And never, ever enter your account password or other authentication information unless you are rock-solid sure that doing so is legitimate and secure.