Major Wall Street institutions were cracked wide open by a phishing scam from FIN4, a hacker group that, unlike its competition, can write convincingly and employs some basic smarts about why people open attachments.
FIN4’s phishing messages warned finance execs that there was an online discussion thread where a disgruntled employee was exposing the company to liability by disclosing confidential material. The malware mined the PCs it infected for previously exchanged Microsoft Office documents and added infectious macros to them, then attached them to replies in the threads in which they’d originally appeared.
These tactics — writing convincing, native-English emails; using existing threads from Outlook repositories to come up with plausible attachments and distribution lists — are incredibly obvious, but have rarely been deployed before this. This is weird — if you can hire competent writers to ghost-write your term papers, it can’t be that hard for Russia’s spam-factories to find ghost-writers for their English-language spam; likewise, if you can compromise a computer from asshole to appetite, why wouldn’t you mine it for basic social-graph information that will make your spam seem more plausible?
FIN4’s malware penetrated 100 companies, targeting the accounts of “C-level executives, legal counsel, regulatory and compliance personnel, scientists, and advisors.” The hackers appear to have used their inside view and their capacity to disrupt internal communications to make insider trades on these firms.
Subject: employee making negative comments about you and the companyFrom: [name]@[compromised company’s domain]
I noticed that a user named FinanceBull82 (claiming to be an employee) in an investment discussion forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances of his disagreements, and in doing so, may have unwittingly divulged confidential company information regarding pending transactions. I am a longtime client and I do not think that this will bode well for future business. The post generated quite a few replies, most of them agreeing with the negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through the appropriate channels before making his post. The link to the post is located here (it is the second one in the thread):
http://forum./redirect. php?url=http://%2fforum%2fequities%2f375823902%2farticle.php\par
Could you please talk to him?
Thank you for the assistance,
[name]
Phishing scam that penetrated Wall Street just might work against you, too [Dan Goodin/Ars Technica]