'Man in the browser' and other cybercriminals target the unaware

From system infiltrators to social engineers, scammers seek access to advisory firms' weakest points of entry

May 7, 2014 @ 1:02 pm

By Joyce Hanson

Cybersecurity, online scams, Microsoft, Oracle, Java, Adobe Reader, Adobe Acrobat
+ Zoom

As the Securities and Exchange Commission increases its scrutiny of cybersecurity at advisory firms, experts are warning of growing threats from scammers who are exploiting both software and human weaknesses to attack adviser practices and client accounts.

One new online scam, known as “the man in the browser,” gives hackers a direct connection from an infected victim's machine into a target organization. Attackers get into users' machines while they browse the web, and then set to work installing malware, according to Roel Schouwenberg, principal researcher at IT security vendor Kaspersky Lab. By exploiting weaknesses, hackers can take advantage of errors in programming, he said.

“The man in the browser is the most sophisticated type of threat because it's the hardest to detect from an organizational point of view,” Mr. Schouwenberg said. Everything looks the same from the victim's end, both in the machine and the browser. And from the organization's point of view, the machine will look the same.”

These threats are happening at the same time the SEC is stepping up its assessment of advisory firms' cybersecurity. The SEC posted a risk alert that lists areas it will consider as it examines more than 50 registered investment advisers and broker-dealers. The list includes software safety, business practices and employee training.

To fight such threats, Mr. Schouwenberg recommended that firms make sure all software is up to date and to install monthly Microsoft patches routinely. He also warned that attackers are going after browser plug-ins such as Adobe Flash, Adobe Reader and Oracle's Java, and that advisory firms may want to provide software to clients that provides routine security checks.

“We're at a groundswell point with information security,” said Chris Valenti, risk and quality information security liaison for First Clearing Correspondent Services. “What I've seen since I started as liaison several years ago is people going from awareness of threats to understanding threats and how to mitigate risks.”

But another threat, called “social engineering,” comes in physical form. In these cases, criminals impersonate firefighters or alarm system salesmen to prey upon company officials who give them access to their computers in the belief that they are being helpful.

Social engineers may first use a phone call, e-mail or Google search to create a plausible pretext — such as, “We've been alerted to a virus, and we need your password” or “We need to come into your office and check your computer” — to gain entry into an advisory firm, he said. Employee cybersecurity training is the best way to protect firms against such scams, he said.

A First Clearing white paper notes that social engineering is a common method hackers use to target and exploit employees in order to gain entry into a firm's computer network.

“A customer service organization can expose itself to security threats just by virtue of wanting to help customers,” Mr. Valenti said. “We might inadvertently help somebody breach our network. Social engineering is about getting into an organization by getting past its controls and having people do it for you. It's an old-fashioned con.”

0
Comments

What do you think?

View comments

Recommended for you

Featured video

Events

Inside the first robo ETF

When it comes to exchange-traded funds, innovations come in all shapes and sizes. Check out Robo Global's Bill Studebaker discussing the first robo ETF.

Video Spotlight

Are Your Clients Prepared For Market Downturns?

Sponsored by Prudential

Recommended Video

Path to growth

Latest news & opinion

HighTower faces pressure to let investors cash out

After an IPO planned for last year didn't happen, the company could opt to satisfy its backers with a sale.

Envestnet to buy FolioDynamix

The deal, which is expected to close in the first quarter of 2018, will bring the total assets Envestnet works with to almost $2 trillion.

Jerry Schlichter's fee lawsuits have left an indelible mark on the 401(k) industry

After a decade of litigation, fees are lower and retirement plans are more transparent. But have the lawsuits gone too far?

10 best financial adviser jokes

How many financial advisers does it take to screw in a lightbulb?

With margins crashing, broker-dealers look to merge: report

Increased regulation is straining profit margins among broker-dealers, sending many of them into the arms of their bigger brethren.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print