'Man in the browser' and other cybercriminals target the unaware

From system infiltrators to social engineers, scammers seek access to advisory firms' weakest points of entry

May 7, 2014 @ 1:02 pm

By Joyce Hanson

As the Securities and Exchange Commission increases its scrutiny of cybersecurity at advisory firms, experts are warning of growing threats from scammers who are exploiting both software and human weaknesses to attack adviser practices and client accounts.

One new online scam, known as “the man in the browser,” gives hackers a direct connection from an infected victim's machine into a target organization. Attackers get into users' machines while they browse the web, and then set to work installing malware, according to Roel Schouwenberg, principal researcher at IT security vendor Kaspersky Lab. By exploiting weaknesses, hackers can take advantage of errors in programming, he said.

“The man in the browser is the most sophisticated type of threat because it's the hardest to detect from an organizational point of view,” Mr. Schouwenberg said. Everything looks the same from the victim's end, both in the machine and the browser. And from the organization's point of view, the machine will look the same.”

These threats are happening at the same time the SEC is stepping up its assessment of advisory firms' cybersecurity. The SEC posted a risk alert that lists areas it will consider as it examines more than 50 registered investment advisers and broker-dealers. The list includes software safety, business practices and employee training.

To fight such threats, Mr. Schouwenberg recommended that firms make sure all software is up to date and to install monthly Microsoft patches routinely. He also warned that attackers are going after browser plug-ins such as Adobe Flash, Adobe Reader and Oracle's Java, and that advisory firms may want to provide software to clients that provides routine security checks.

“We're at a groundswell point with information security,” said Chris Valenti, risk and quality information security liaison for First Clearing Correspondent Services. “What I've seen since I started as liaison several years ago is people going from awareness of threats to understanding threats and how to mitigate risks.”

But another threat, called “social engineering,” comes in physical form. In these cases, criminals impersonate firefighters or alarm system salesmen to prey upon company officials who give them access to their computers in the belief that they are being helpful.

Social engineers may first use a phone call, e-mail or Google search to create a plausible pretext — such as, “We've been alerted to a virus, and we need your password” or “We need to come into your office and check your computer” — to gain entry into an advisory firm, he said. Employee cybersecurity training is the best way to protect firms against such scams, he said.

A First Clearing white paper notes that social engineering is a common method hackers use to target and exploit employees in order to gain entry into a firm's computer network.

“A customer service organization can expose itself to security threats just by virtue of wanting to help customers,” Mr. Valenti said. “We might inadvertently help somebody breach our network. Social engineering is about getting into an organization by getting past its controls and having people do it for you. It's an old-fashioned con.”

0
Comments

What do you think?

View comments

Recommended for you

Featured video

Events

Dynasty's Penney: Top RIA trends for 2018

What's next for RIAs? Dynasty's Shirl Penney talks about the growing numbers of entrepreneurial advisers. Plus, what inspired his own entrepreneurship.

Latest news & opinion

Meet our 2017 Women to Watch

Introducing 20 female financial advisers and industry executives who are distinguished leaders, advancing the business of providing advice through their creativity and hard work.

Raymond James executives call on industry to keep broker protocol

Also ask firms to pay for the administration of the protocol to 'ensure its longevity and relevance.'

Senate committee approves tax plan but full passage not assured

Several Republican senators expressed reservations about the bill, and the GOP cannot afford too many defections.

House passes tax bill, focus turns to Senate

Tax reform legislation expected to have more of a challenge in upper chamber.

SEC enforcement of advisers drops in Trump era

The agency pursued 82 cases against advisers and firms in fiscal year 2017, down from 98 the previous year.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print