Call it insider trading for the digital age: An international ring of con men and criminals managed to make $100 million in the stock market by gaining advance access to press releases.
They did this by hacking into commercial news distribution services, the largest in the biz: PR Newswire, Business Wire and Marketwired. Phishing was the initial vector.
The campaign lasted from 2010 until this last May—a five-year period during which more than 150,000 press releases with earnings figures and other market-impacting corporate information were pilfered and analyzed prior to their release—offering market brokers an opportunity to make some very savvy investments, hours to three days ahead of the game.
For instance, on one day in 2013 the group was poised for a positive earnings report from Panera Bread—and proceeded trading more than 75,000 shares in a little over an hour to make $900,000.
As you might imagine, the accused are a mixed crew of hackers and stock traders. Nine people in the US and Ukraine were indicted on federal criminal charges, including securities fraud, computer fraud and conspiracy. The Securities and Exchange Commission also brought civil charges against the nine, plus 23 other people and companies in the US and Europe. Prosecutors said the defendants made $30 million from their part of the scheme.
The case "illustrates the risks posed for our global markets by today's sophisticated hackers," SEC chief Mary Jo White said. "Today's international case is unprecedented in terms of the scope of the hacking at issue, the number of traders involved, the number of securities unlawfully traded and the amount of profits generated."
While the story is notable for the insider trading angle, the tactics are familiar to the cybersecurity world, even if the outcome is a new one. In essence, this is just the latest in a string of major breaches carried out utilizing sophisticated multi-vector attacks, according to Paul Lipman, CEO at iSheriff.
“Phishing is proving to be an increasingly effective entry point for attacks,” he told Infosecurity. “When a target clicks a link to a malicious page, an exploit is downloaded onto their device. Nearly 70 percent of attacks involve inadvertent download in this way. This malicious application then opens a backdoor for the attacker to ultimately gain access to the network. Sensitive data, in this case press releases, is then extracted.”
But what of the target? Sure, news releases are timed for competitive reasons, and embargoes on the news are common in order for companies to strike when the time is ideal within a given news cycle. But no one would ever think that they were putting the keys to the proverbial company castle in black-and-white in a news release. And in that way, the con is ingenious.
“This is a fascinating new domain in the field of defending against attacks,” said John Gunn, VP at VASCO Data Security. “Cash, credit-card numbers, and social-security numbers have high value to all hackers, so they are well protected, especially by banks who spend a fortune on protecting their assets. But a press release has essentially zero value to anyone except an extremely small group of hackers who can exploit the information in secondary markets.”
He added, “These hacker mash-ups will become more frequent as enabling technologies make criminal collaboration easier.”
Essentially, what have been previously seen as assets with little face value—and therefore protected with minimal security—have been converted into significant monetary gain.
John Humphries, CMO and co-founder of Proficio, added, “What's next—pending drug approvals by the FDA, court opinions, rating agency analysis?”
For its part, PR Newswire, which said in a statement that it has “cooperated with the relevant government agencies,” took an apologetic tone and said that it’s working on enhancing its security.
“[The] announcement highlights that cyber-attacks are becoming increasingly sophisticated and cybersecurity is more important than at any point in the digital age,” it said. “PR Newswire is committed to providing a secure environment for client information and employs a multi-dimensional approach to information security. Our efforts are managed by a dedicated team with security certification credentials who apply the latest security techniques. Our web applications and technology infrastructure undergo rigorous vulnerability assessment and monitoring using industry-leading tools…as cyber security threats continue to evolve, so will our information security practices.”