‘Man in the browser’ and other cybercriminals target the unaware

As the Securities and Exchange Commission increases its scrutiny of cybersecurity at advisory firms, experts are warning of growing threats from scammers who are exploiting both software and human weaknesses to attack adviser practices and client accounts.
One new online scam, known as “the man in the browser,” gives hackers a direct connection from an infected victim’s machine into a target organization. Attackers get into users’ machines while they browse the web, and then set to work installing malware, according to Roel Schouwenberg, principal researcher at IT security vendor Kaspersky Lab. By exploiting weaknesses, hackers can take advantage of errors in programming, he said.
“The man in the browser is the most sophisticated type of threat because it’s the hardest to detect from an organizational point of view,” Mr. Schouwenberg said. Everything looks the same from the victim’s end, both in the machine and the browser. And from the organization’s point of view, the machine will look the same.”
These threats are happening at the same time the SEC is stepping up its assessment of advisory firms’ cybersecurity. The SEC posted a risk alert that lists areas it will consider as it examines more than 50 registered investment advisers and broker-dealers. The list includes software safety, business practices and employee training.
To fight such threats, Mr. Schouwenberg recommended that firms make sure all software is up to date and to install monthly Microsoft patches routinely. He also warned that attackers are going after browser plug-ins such as Adobe Flash, Adobe Reader and Oracle’s Java, and that advisory firms may want to provide software to clients that provides routine security checks.
“We’re at a groundswell point with information security,” said Chris Valenti, risk and quality information security liaison for First Clearing Correspondent Services. “What I’ve seen since I started as liaison several years ago is people going from awareness of threats to understanding threats and how to mitigate risks.”
But another threat, called “social engineering,” comes in physical form. In these cases, criminals impersonate firefighters or alarm system salesmen to prey upon company officials who give them access to their computers in the belief that they are being helpful.
Social engineers may first use a phone call, e-mail or Google search to create a plausible pretext — such as, “We’ve been alerted to a virus, and we need your password” or “We need to come into your office and check your computer” — to gain entry into an advisory firm, he said. Employee cybersecurity training is the best way to protect firms against such scams, he said.
A First Clearing white paper notes that social engineering is a common method hackers use to target and exploit employees in order to gain entry into a firm’s computer network.
“A customer service organization can expose itself to security threats just by virtue of wanting to help customers,” Mr. Valenti said. “We might inadvertently help somebody breach our network. Social engineering is about getting into an organization by getting past its controls and having people do it for you. It’s an old-fashioned con.”