Cyber Crooks Snatch Biotech Emails to Move Markets

Hackers have been targeting more than 100 organizations, largely publicly-traded companies, to glean intelligence capable of jolting stock prices.

Fore more than a year, cyber forensics firm FireEye has been responding to the group’s intrusions, according to a new report.

The attackers, whom FireEye dubbed “Fin4” because they are one of several groups that hack for financial gain, appear to be native English speakers, who are well versed in Wall Street jargon.

“Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ,” the New York Times reports.

Victims have included top-level executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists.

“Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee’s negative rants about the executive in an investment forum,” according to the Times.

Sometimes, the attackers used stolen company documents to aid the deception.

While the messaging and clickbait vary, in each case, the links or attachments redirect their victim to a fake email login page. The webpage is designed to steal the victims’ credentials, so that the attacker can log into their email and read the contents.

The attackers only read the person’s emails, rather than creeping further into the network. And the bad guys set the compromised inboxes to automatically delete any email containing words such as “hacked,” “phished” or “malware,” so they can read a while, before the victims detect a problem.

FireEye declined to identify the affected companies, but said half of them fall into the biotechnology sector; 13 percent sell medical devices; 12 percent sell medical instruments and equipment; 10 percent manufacture drugs; and a small minority of targets include medical diagnostics and research organizations, health care providers and organizations that offer health care planning services.

 The attackers always logged into their victim’s email accounts using Tor, the anonymity software that routes web traffic through Internet Protocol addresses around the globe.

“We don’t have specific attribution but we feel strongly this is the work of Americans or Western Europeans who have worked in the investment banking industry here in the United States,” said FireEye threat intelligence manager Jen Weedon. “But it’s hard because we don’t have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads.”