why do thieves target banks? as Willie Sutton apocryphally said “because that’s where the money is.”
Fire Eye has released a report on the activities on a group called FIN4. They target C suite individuals in fortune 100 companies via email. And these are not the Nigerian 419 emails, they are well written and highly targeted
FIN4 focuses on compromising the accounts of individuals who possess non-public information about merger and acquisition (M&A) deals and major market-moving announcements, particularly in the healthcare and pharmaceutical industries. Why would they do that? Access to insider information that could drive equity prices for multiple publicly traded companies should give FIN4 at a major trading edge.
The group writes emails with specific M&A and regulatory themes that link to poisoned websites and malicious word & excel documents that contain Visual Basic for Applications (VBA) macros designed to steal the usernames and passwords of the recipient. Often they include links to fake Outlook Web App (OWA) login pages in order to capture the user’s credentials. Once equipped with the user credentials, they would be able to access real-time email communications, consequently they will be able to spy on potential deals and know their timing.
In a nice touch part of the malicious code sets up a rule in the victims mail file to auto delete any warning emails that may be sent to them.
As an extra level of obfuscation the group uses existing email threads in a victim’s inbox to spread their malicious documents and links. This means that malicious emails are almost impossible to distinguish from legitimate emails sent from a compromised victim’s email account. The actors have also Bcc’d all recipients, making it even more difficult for recipients to decipher a malicious email from a legitimate one
How to defend against this attack
Other than training users there is little that can be done to defend against the attack. You could turn off VBA execution in documents but that may well have knock on effects elsewhere