'Man in the browser' and other cybercriminals target the unaware

From system infiltrators to social engineers, scammers seek access to advisory firms' weakest points of entry.
JUN 13, 2014
As the Securities and Exchange Commission increases its scrutiny of cybersecurity at advisory firms, experts are warning of growing threats from scammers who are exploiting both software and human weaknesses to attack adviser practices and client accounts. One new online scam, known as “the man in the browser,” gives hackers a direct connection from an infected victim's machine into a target organization. Attackers get into users' machines while they browse the web, and then set to work installing malware, according to Roel Schouwenberg, principal researcher at IT security vendor Kaspersky Lab. By exploiting weaknesses, hackers can take advantage of errors in programming, he said. “The man in the browser is the most sophisticated type of threat because it's the hardest to detect from an organizational point of view,” Mr. Schouwenberg said. Everything looks the same from the victim's end, both in the machine and the browser. And from the organization's point of view, the machine will look the same.” These threats are happening at the same time the SEC is stepping up its assessment of advisory firms' cybersecurity. The SEC posted a risk alert that lists areas it will consider as it examines more than 50 registered investment advisers and broker-dealers. The list includes software safety, business practices and employee training. To fight such threats, Mr. Schouwenberg recommended that firms make sure all software is up to date and to install monthly Microsoft patches routinely. He also warned that attackers are going after browser plug-ins such as Adobe Flash, Adobe Reader and Oracle's Java, and that advisory firms may want to provide software to clients that provides routine security checks. “We're at a groundswell point with information security,” said Chris Valenti, risk and quality information security liaison for First Clearing Correspondent Services. “What I've seen since I started as liaison several years ago is people going from awareness of threats to understanding threats and how to mitigate risks.” But another threat, called “social engineering,” comes in physical form. In these cases, criminals impersonate firefighters or alarm system salesmen to prey upon company officials who give them access to their computers in the belief that they are being helpful. Social engineers may first use a phone call, e-mail or Google search to create a plausible pretext — such as, “We've been alerted to a virus, and we need your password” or “We need to come into your office and check your computer” — to gain entry into an advisory firm, he said. Employee cybersecurity training is the best way to protect firms against such scams, he said. A First Clearing white paper notes that social engineering is a common method hackers use to target and exploit employees in order to gain entry into a firm's computer network. “A customer service organization can expose itself to security threats just by virtue of wanting to help customers,” Mr. Valenti said. “We might inadvertently help somebody breach our network. Social engineering is about getting into an organization by getting past its controls and having people do it for you. It's an old-fashioned con.”

Latest News

Voya expands advisor managed accounts to add private market assets
Voya expands advisor managed accounts to add private market assets

Voya Financial adds private equity, credit and real estate options to its AMA program, building on support for looser federal investment rules in retirement accounts.

With executives leaving, Osaic’s Reid now in the spotlight
With executives leaving, Osaic’s Reid now in the spotlight

Shannon Reid, president of Osaic and the network’s number two executive, has plenty of challenges, industry executives said.

Investors sue crypto fund and platform, alleging $1.5 million never returned
Investors sue crypto fund and platform, alleging $1.5 million never returned

Auditors flagged the commingling. The COO allegedly knew. Investors kept getting the pitch

Wells Fargo nabs $1.7B RBC advisor team, loses two teams to LPL
Wells Fargo nabs $1.7B RBC advisor team, loses two teams to LPL

The advisors on the move include two brothers leading a family practice in Connecticut, and a husband-and-wife tandem working with business owners in the West Coast.

Most potential business successors think there's a plan – but owners say otherwise
Most potential business successors think there's a plan – but owners say otherwise

Business owners and their heirs may be making assumptions instead of having conversations, creating challenges for succession planning, according to new research.

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.