Recently a friend called me in the wake of a frightening hack attack. Hackers had compromised his stock trading account, sold all his stocks, and were in the middle of transferring the cash to an intermediate laundering site. They had changed the contact information for the account before initiating the unauthorized stock selloff; when the broker tried to contact him to confirm the unusual activity, he was actually communicating with the hackers, who of course gave the OK.
Luckily, the stock trading site did not allow users to change all contact information at once. In this case, the attackers were unable to change my friend's email address, the same one used to send notifications of transactions. In an attempt to mask those email notifications, the hackers spam-bombed his email account. In a short time, they had sent him more than 7,500 spam messages.
[ Solid security starts with a strong password, which is easier to create than you may think. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. | Safeguard your systems with tips from InfoWorld's Security Central newsletter. ]
Each piece of spam came from a different email address (often from fake .info and .biz domains) and contained nothing but random (for example, qne74c8r7wda5sof738hb0atuosqbff69vb3j0e4) text for both the subject and body.
Spam storm as omen
The first sign that something was amiss was the spam assault -- which my friend initially noticed on his smartphone. Luckily, in the process of reviewing each email prior to deleting, my friend saw the few intermingled stock trade notices and called his broker. His broker reversed the fraudulent transactions, changed the account logon information, and temporarily froze the account.
This sort of hacking has been going on for years -- check out the Charles Schwab heist five years ago or the multiple-brokerage securities fraud busted last April -- but this was the first time I've been asked to participate in a related investigation or remediation.
My friend called to see if there was anything I could do, specifically if there was an easy way to stop the spam onslaught. He had already blocked a recurring IP address on his business Exchange server, but the email spam continued at the rate of about one per second. Unfortunately, I was out at a Thanksgiving family celebration and unable to get more involved to learn more useful details.
I called my friend Brian Krebs, who has plenty of experience with these sorts of professional hacking activities, often involving gangs and money mules. Brian made the right call: The spam would stop as soon as the hackers learned they weren't getting any money. He was spot on. What my hacked friend was seeing was leftover spam from backed-up email queues.
Eight preventive measures
I couldn't help my friend after the fact, but there are some prevention and mitigations that anyone with a stock trading account should follow.
- Look for a rollback guarantee. First and foremost, make sure your stock account is backed with 100 percent guarantee of reversal for all fraudulent transactions. Most reputable stock trading accounts already offer this, as this sort of hacking is a way of life for them. But some low-cost trading sites might not offer the same guarantees.
- Be prepared. Have your stock site's fraud report phone numbers ready ahead of time. You don't want to scramble for hard-to-find phone numbers while your life's savings are drained away.
- See something? Say something. Report suspicious activity or contacts to your stock site, even if you don't see any fraudulent activity on your account. My friend noted suspicious phishing attempts -- and even someone claiming to be from the brokerage calling to ask him to verify his logon information. After the fact, my friend realized these were the first attempts by the hackers to gain information.
- Opt for multifactor. If your brokerage account offers two-factor authentication (such as tokens, SMS confirmation, and so on), take it. The additional cost or effort is worth the peace of mind.
- Choose maximum notification. Make sure to enable activity notifications and send them to email accounts you frequently monitor. Activity monitors should include notifications of account information changes, as well as of significant or unusual transactions.
- Use a unique logon. As recommended in a previous column, don't use the same password among multiple websites and services. Most of the time, the hackers gain their initial access by compromising another website or service using a phishing attack.
- Stay on top. Check your financial account transactions frequently. I check my stocks and bank accounts daily.
- No Starbucks for you. Avoid banking or trading at a Wi-Fi hotspot or any other shared public network where you can be spied on.