Spear phishing attack cost hedge fund £1.5 million in March

In a more recent attack, a targeted spear phishing attack on a $10 billion US hedge fund was averted two and a half weeks ago, according to eSentire

Man with magnet and money

Hackers' most common way of extracting big sums from hedge funds – a method known as spear phishing – is also the most successful and relatively simple, say cybersecurity consultants.

Spear phishers email their targets pretending to be companies or individuals very close to the target. The email recipient only has to click on a link for the hacker to start a chain of command-and-control channels that can eventually lead to multi-million dollar losses.

This technique was used to gain access to a large US hedge fund's high-frequency trading (HFT) system and slow it down by fractions of a second, costing it millions of dollars in the space of two months, according to statements made by BAE Security Systems in June.

Eldon Sprickerhoff, chief security strategist at cyber-protection firm eSentire, says he sees more than 10 phishing attacks every day on his 350 hedge fund clients, large and small.

Phishing – a wider category of junk emails that trick people into downloading or spreading viruses – and other similar tactics cost the average business surveyed by independent researcher the Ponemon Institute $31,000 per attack.

Such attacks are frequent. Of the 234 companies that opted to participate in Ponemon's 2013 Cost of Cyber Crime study, roughly half said they had suffered a phishing-like attack in the last four weeks.

"Spear phishing is the most popular and successful [cyber strategy] to date," says Sprickerhoff, referring to hedge fund targets.

Steve Schoener, technology vice-president at the cybersecurity firm Eze Castle, agrees: "It is the most common serious threat to hedge funds."

Cyber attacks that plague other businesses, such as data breaches from malicious insiders, such as former employees, and website-crashing hacks, cause hedge funds few problems, Steve Schoener says.

Few ex-hedge fund workers are a primary security concern and company websites are not as central to funds as to other companies. Phishing is common, owing to the numerous financial transactions.

A medium-sized hedge fund, with less than $1 billion in assets under management, lost $1.5 million in mid-March after a phishing attack, according to eSentire.

A hacker using two machines managed to set up a command-and-control chain that took over the CFO's access to wire transfers, and channelled a series of small payments out of the fund's capital account, with the money making its way to accounts in China, Russia and Turkey.

The bait was probably an email instructing the recipient to check their voicemail messages, says Sprickerhoff.

"This attack required a relatively low skill set," says J Paul Haynes, CEO of eSentire.

Sprickerhoff says he saw a more targeted spear phishing attack on a large US hedge fund that manages $10 billion worth of assets two and a half weeks ago.

"The easiest way to [trick the email recipient] is to fake a conversation between two people," he says.

In this case, the hacker had the names of three employees and their relationship within the fund. He or she created a fake domain and email addresses similar to the two employees, and manufactured an email exchange between the two.

The hacker forwarded the conversation to the third employee, and asked for a wire transfer with a brief email: "Ready to effect that change?"

"The problem funds face is the implicit trust between 50 people. It becomes easy for the hacker to move laterally in the network," says Haynes.

In this instance the US fund suffered no losses, as the cybersecurity firm could resolve the problems.

But damage to a fund's reputation is still a concern. Financial institutions surveyed by PwC in its global economic crime survey listed reputational damage as their primary concern, above theft, data breaches and service disruption.

The time taken to fix the problem is also an annoyance. Phishing-type attacks take on average 19 days to resolve, according to the Ponemon Institute.

Schoener of Eze Castle says that the biggest and smallest funds best understand the threats that cyber attacks pose; older funds with assets between $250 million and $750 million show the least awareness, in his experience.

eSentire tells all its clients two ways to fend off spear phishers: pay for a robust anti-spam filter and educate employees about the threats. "Essentially," says Haynes, "Don't click that."

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here