Cyber criminals eye financial markets for a better return on investment

Cyber criminals could turn to the financial markets to make money – using tricks such as shorting stocks before attacking listed companies, buying commodities futures before taking down the website of a large company or breaking into computer systems to steal confidential mergers and acquisitions information before playing the markets.

These are some of the ways advanced hackers could manipulate the financial markets, a threat security experts are warning is just over the horizon.

In a paper last year, Scott Borg, chief executive of the US Cyber Consequences Unit, an independent non-profit organisation that advises the US government on the economic consequences of possible cyber attacks, warned that some criminals are set to go beyond stealing the financial data of customers and start profiting from cyber attacks by manipulating market movements.

“The potential scope of the new attacks is stunning. There is a limit to the amount of money that can be stolen directly by diverting payments. There is no limit to the amount of money that can be made by manipulating markets,” he wrote.

Mr Borg told the Financial Times he had been talking to banks privately about this risk for some time, but had been cautious about making public warnings for fear he would inadvertently be giving ideas to criminals.

Now, however, he has seen signs of some early attacks that may be aimed at manipulating markets. “For a number of years, I kept quiet, I didn’t want to put the idea into people’s heads that this was an enormous opportunity. But that is no longer a good argument, as the bad guys have caught on,” he said.

Mr Borg has seen discussion of the potential for this type of attack on the underground forums frequented by cyber criminals and evidence that hackers are targeting government organisations that hold what could potentially be market-moving economic data.

These types of attacks are not yet widespread, as many cyber criminals focus on the easy pickings from selling credit card data or clearing out bank accounts.

Manipulating financial markets could be much more complex. Criminals may have to use advanced phishing techniques – where very carefully crafted emails, often based on specialist knowledge, are sent to executives to elicit information, or ask them to click on links or downloads – or advanced malware, which is especially designed to get into customised software.

Once an attack has been carried out, however, it could be very hard to track down the culprits, Mr Borg says. It is relatively easy to hide one’s identity in a busy marketplace and even if someone is accused of, for example, shorting a stock based on the knowledge gained during an attack, they could shrug it off as taking a gamble on a rumour they heard. “It is very, very hard to prosecute anyone for this kind of crime,” he says.

Marc Maiffret, chief technology officer for Beyond Trust, a security and compliance management company, agrees with Mr Borg that markets will receive more attention from cyber criminals as straightforward stealing of data becomes less lucrative.

He added that as companies put in better measures to protect against credit card fraud, such as two-factor authentication with online banking, using hardware devices or phones to generate codes, or the introduction of chip-and-pin in the US, cyber criminals in eastern Europe, China and even across the US will begin to dabble in market manipulation.

Trading and data services are incentivised to be cheaper or faster, but not necessarily more secure

Derek Manky, who heads the research arm of Fortinet, a US cyber security company, says he has already seen evidence of an infection that scanned thousands of his clients’ machines searching for trading accounts. The bug was designed to issue automatic trading instructions if it had succeeded in taking over the accounts.

“It is not happening on a regular basis, but we’re seeing indications that the technology is being developed to enable criminals to manipulate the market,” he said.

Gary Owen, a director at Promontory, a consulting firm, used to run the threat management centre at Goldman Sachs. He says that while big banks tend to run sophisticated security operations, those lower down the food chain often have to rely on third-party vendors, and this could pose a threat to the financial system.

“More pressure needs to be put on specific vendors who are systemically important to a subset of the community because they provide services for tier-two or tier-three clients,” he said.

“Trading and data services tend to be incentivised to be cheaper or faster, but not necessarily more secure.”

Mr Owen says criminals could distort data to siphon off cash. “What if one in 10 trades is corrupted somehow, but you can’t see it? Instead of 10 shares, it’s 11, instead of $9, it’s $8.50?” The integrity of the data available in the market is paramount, he adds, as without trust the system could fall apart.