A recent report by security consulting firm FireEye reveals that a hacker group, referred to as FIN4, have infiltrated over 100 publicly traded companies and advisory firms since at least mid-2013 and are likely trading using inside information. FIN4’s ongoing hacking efforts particularly target the email accounts of individuals with access to non-public information about imminent M&A deals and other market catalysts. According to the report and an interview with Jen Weedon, FireEye’s manager of threat intelligence, the highly tailored tactics and level of sophistication suggest that the hackers may be individuals with experience on Wall Street.

Focus on M&A deals and healthcare sectors

FIN4’s focus is on acquiring information on ongoing M&A discussions. They target individuals directly involved in a deal, such as senior executives, legal counsel, and regulatory, risk and compliance personnel. On multiple occasions, the hackers have simultaneously targeted individuals in several organizations involved in the same deal, including law firms, consulting firms and public companies.

In addition, FIN4 focuses particularly on public companies in the healthcare and pharmaceutical sectors, as over two-thirds of the targeted organizations fall under this category. FireEye theorizes that this focus is because the nature of these sectors involve issues that are most likely to significantly affect stock prices, such as clinical trial results and litigation.

Highly tailored phishing tactics

FIN4 steals login credentials to the email accounts of select individuals by using phishing emails sent from compromised email accounts. These phishing emails are often highly tailored and employ a variety of tactics to make them appear legitimate.

For example, they attach stolen but legitimate corporate documents with malicious code embedded in them, which will display a fake Windows Authentication window and prompt the user to enter their login credentials. The email body is often customized to appeal to the unique concerns of the particular target recipient. One sample email shown in the report was sent to an executive of a public company under the guise of a complaint regarding improper disclosure of pending transactions. In some cases, the hackers have also sent messages using existing email threads from compromised accounts, thereby adding an extra layer of purported legitimacy.

FIN4 further modifies the Microsoft Outlook configurations of compromised accounts to prevent the victim from reading emails which may alert the victim about the security breach. It does this by automatically deleting emails in the inbox containing words such as “virus”, “phish” or “hack”.


The operations of FIN4 are ongoing and the report suggests that organizations implement several technical changes which can hinder the hackers. However, as FIN4’s operations rely primarily on human deception, they may simply find a new way around the technical obstacles introduced by the report. Organizations at particular risk of being targeted should ensure their employees and executives are aware of these hacking efforts, take appropriate precautions to verify the identity of senders requesting sensitive information, and avoid providing login credentials unless they are absolutely certain that the prompt is legitimate.

The author would like to thank Matthew Lau, articling studnet, for his assistance in preparing this legal update.