Crooks Made Millions By Breaking Into Execs' Office365 Inboxes, Feds Say

An anonymous reader quotes a report from Ars Technica: Federal prosecutors have charged a man for an alleged "hack-to-trade" scheme that earned him millions of dollars by breaking into the Office365 accounts of executives at publicly traded companies and obtaining quarterly financial reports before they were released publicly. The action, taken by the office of the US Attorney for the district of New Jersey, accuses UK national Robert B. Westbrook of earning roughly $3.75 million in 2019 and 2020 from stock trades that capitalized on the illicitly obtained information. After accessing it, prosecutors said, he executed stock trades. The advance notice allowed him to act and profit on the information before the general public could. The US Securities and Exchange Commission filed a separate civil suit against Westbrook seeking an order that he pay civil penalties and return all ill-gotten gains. [...]

By obtaining material information, Westbrook was able to predict how a company's stock would perform once it became public. When results were likely to drive down stock prices, he would place "put" options, which give the purchaser the right to sell shares at a specific price within a specified span of time. The practice allowed Westbrook to profit when shares fell after financial results became public. When positive results were likely to send stock prices higher, Westbrook allegedly bought shares while they were still low and later sold them for a higher price. The prosecutors charged Westbrook with one count each of securities fraud and wire fraud and five counts of computer fraud. The securities fraud count carries a maximum penalty of up to 20 years' prison time and $5 million in fines The wire fraud count carries a maximum penalty of up to 20 years in prison and a fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. Each computer fraud count carries a maximum five years in prison and a maximum fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. "The SEC is engaged in ongoing efforts to protect markets and investors from the consequences of cyber fraud," Jorge G. Tenreiro, acting chief of the SEC's Crypto Assets and Cyber Unit, said in a statement. "As this case demonstrates, even though Westbrook took multiple steps to conceal his identity -- including using anonymous email accounts, VPN services, and utilizing bitcoin -- the Commission's advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking."

Crooks?

[bill_mcgonigle]

Thomas Crooks?

Coconspirators?

Why would he buy puts or go long instead of buying calls?

Strange case.

Re:

[colonslash]

No, not Thomas Matthew Crooks, he's been memory holed. It's incredible how such a huge event, that would have gotten non-stop coverage for months a couple of decades ago, gets swept under the rug so quickly.

Re:

[penguinoid]

It's tradition to sweep assassination attempts under the rug, to avoid the Streisand Effect. Hence why you heard almost nothing about the dozens of assassination attempts against Obama, or Bush.

Also seems to be really easy

[gweihir]

I mean, MS does not even get the log-in right, like the bloody amateurs they are. (You should never give feedback whether the password or the 2nd factor was wrong, because that allows guessing the password...). Looks like "standardizing" on 2nd rated and worse solutions is a costly thing.

Re:

[Anonymous Coward]

MS does not present 2nd factor at all unless password is right and you can't brute force due to the lockout mechanism, if anything they are one of the few that do it right.

Re:

[gweihir]

MS allows you to guess the password without having the second factor. That is abysmally bad and fundamentally incompetent design as it dramatically reduces the strength of the authentication mechanism. You are clueless.

Re:

[bleedingobvious]

MS allows you to guess the password without having the second factor.

Bullshiat. Where do you get this FUD?

Re:

[gweihir]

From having logged into an MS account and, unlike you, not being terminally stupid and actually having observed what happens.

Re:

[bleedingobvious]

From having logged into an MS account and, unlike you, not being terminally stupid and actually having observed what happens.

That's nice. On what? Your rubber duck?

You're saying you logged in on a new device and weren't challenged for MFA, weren't denied because of the region you were logging in from and you weren't denied because the device is unmanaged?

Then you are clearly a master hacker!

Everyone else who deals with actual security considers the above to be basic practice. Ignoring basic practive is an issue of implementation not a failure of the tooling.

Re:

[gweihir]

Nope. I am claiming that if you enter the password wrongly, you get immediate feedback and you are _not_ asked for the 2nd factor. I guess you have really no clue how password guessing and verification works for an attacker. Incidentally, "new device"? I get asked for the password every time. These are corporate accounts. I do not have any private MS accounts.

Re:

[bleedingobvious]

I get asked for the password every time. .

There we go.

Failure to implement protections is not a failure of the tooling.

Re:

[gweihir]

That is_not_ something you can conclude here. Well, I guess you are far more comfortable to lie and claim nonsense than you are with admitting you are simply wrong. And you are.

Re:

[bleedingobvious]

you are far more comfortable to lie and claim nonsense than you are with admitting you are simply wrong.

Pretty sure I've pointed this out to you before but... ignorance is not a super power. Whining when called out on it just makes you seem... childish.

Third parties

[fluffernutter]

I said it from the beginning. Why would anyone entrust sensitive corporate data to any third party vendor? In this case it was a person from the outside, but it could have just as easily been someone at Microsoft with inside knowledge of almost every corporation out there.

Re:

[penguinoid]

it could have just as easily been someone at Microsoft with inside knowledge of almost every corporation out there.

It might still be; who knows how many have access and sell the info instead of using it to have suspiciously good luck in the stock market.

Re:

[gweihir]

it could have just as easily been someone at Microsoft with inside knowledge of almost every corporation out there.

It might still be; who knows how many have access and sell the info instead of using it to have suspiciously good luck in the stock market.

Indeed. Also, there may well people that understand how to actually run such an attack. The trick is to never be so "lucky" as to stretch credibility. Yes, that requires actual smarts and an ability to control your greed.The asshole from the story obviously does not have these. You also need to stop doing it after a short while and go back to regular trading effectiveness. Financial anomaly detection has gotten very good, because all these attack have happened before in some form or other.

Re:

[fatwilbur]

Literally what other option does a corporation have? An on-prem exchange server and all the non-stop vulnerabilities with those over the years? Some other in house solution where you need to have truly trusted and expert techs to maintain it? No matter what approach you take there is a path to being compromised.

Re:Third parties

[gweihir]

Do not use exchange. It is a crappy product with a crappy history, whether cloud or on-prem. There are excellent alternatives out there with very good security histories. Anybody excusing the crappiness of Microsoft products with "Nothing else can realistically be used!" is part of the problem and simply incompetent.
 

Re:

[fluffernutter]

*gasp* Expect a corporation to share their precious dollars with knowledgable techs?? Say it ain't so! Next thing you know they may need to hire lawyers and accountants that know what they are doing! What is this world coming to???

Re:

[gweihir]

I said it from the beginning. Why would anyone entrust sensitive corporate data to any third party vendor?

Greed, incompetence, arrogance, stupidity, follow-the-hype and inability to listen to experts. You know, typical CEO characteristics.

Re:

[cmseagle]

I said it from the beginning. Why would anyone entrust sensitive corporate data to any third party vendor?

Why would anyone entrust their valuable belongings to a safe deposit box? Surely they'd get better results building an on-prem vault, installing a security system, and hiring/training a team of guards?

/s

Re:

[fluffernutter]

You are seriously making that comparison? Not only does a person need physical access to a safe deposit box to see what's in it, but generally the things in the box aren't useful without physically possessing them. Don't you need a physical key to use the box? Also since you need to be physically there, it is very easy to limit the people who can even get you into the main safe to a few. It makes detection of foul play and the subsequent investigation just a bit easier /s

Re:

[cmseagle]

I can't tell if you're being deliberately obtuse but I'll give you the benefit of the doubt...

The point is that you could build your own vault, but practically no one does because it's probably not the core competency of most businesses. You simply have no chance of doing it economically compared to a third party that offers the service at scale. Maybe you gain some security benefits (e.g., the bank manager can't let a locksmith into the vault while you're away and have them drill your lock, or make a du

Re:

[fluffernutter]

That's like saying the odds of them knowing how to file their taxes are miniscule, or that the odds of the company knowing how to defend themselves from a slip and fall suit on their property are miniscule. Also in the cloud, they are still paying for the admins in the background so it's not cheaper. In fact it is usually more expensive. I'm not saying they should hire an admin in house, but they could outsource to a reputable company to make recommendations and put an admin on it part time.

Re:

[cmseagle]

Many companies bring in a third party to do their tax accounting (day-to-day bookkeeping generally falls into that "core competency" category, because if you don't know how much you're spending and earning your business probably isn't long for this world). Most companies would need to bring in outside counsel if they needed to defend a slip and fall lawsuit.

Looks like you can get a business Google account (Gmail, Docs, Sheets, etc.) for $5/user/month. For the ~98% of American businesses that have fewer t

Re:

[fluffernutter]

Well no. But then if you want the cheap account, you can't complain when stocks get manipulated and you probably shouldn't be listed at all for that reason. You need to pay to play. That's how capitalism works

Re:

[cmseagle]

Well no. But then if you want the cheap account, you can't complain when stocks get manipulated and you probably shouldn't be listed at all for that reason.

"Widely-adopted, off-the-shelf solutions are less secure than a one-of-a-kind, in-house solution" [Citation Needed]

The logical conclusion of such an argument is that you should also "pay to play" and roll your own crypto for your in-house solution, rather than it is to use a cheap option like OpenSSL.

Re:

[fluffernutter]

I'm just saying at least take a vpn. Preferably host a well tested local system. Make sure it's always up to date. Make it more like a safe deposit box.

Re:

[fluffernutter]

I could also ask, would you have someone charging $10 an hour in India do you books?

Scumbag.

[jddj]

Acting just like a Congressman.

Our old friend "wire fraud"

[null etc.]

At this point, the government's use of "wire fraud" to charge suspects of crimes is just so nebulous that it might as well be replaced by a more generic law called "illegal activities".

Re:Our old friend "wire fraud"

[Retired Chemist]

It allows them to make it a federal rather than state offense.

Insider Feds

[geekmux]

The arrogant irony of the “Feds” going after someone for doing what Nancy Pelosi defended as a fucking job perk for congresscritters, astounds me. Corruption has swung from nooses for less.

What are the names of the victims?

[SomePoorSchmuck]

A gambler in a casino obtains information that allows him to bet high when he should and bet low when he should. Other gamblers always had the option to refuse to call his bet.

Which people were forced to purchase shares from him or forced to sell shares to him? Which participants in the speculative casino known as the Stock Market did not agree to buy or sell at the price offered during the transaction, in an attempt to hopefully sucker him into selling too low or buying to high, so they could in turn later

Re:

[ZipNada]

>> Which people were forced

People who bought the options he sold while he had access to the insider-grade information. Information which he stole. Clearly criminal.

Re:

[Anne Thwacks]

Using Microsoft product - clearly a failure of security practice.

Re:

[gweihir]

Get some minimal information how a financial system works and how it fails. There is a reason insider trading is a very serious crime.

Re:

[misnohmer]

If you want to compare it to gambling, imagine playing Texas Hold'em Poker against a player who you later found out knew exactly what your cards were and what cards were coming next. Would you be upset, or claim that since nobody forced you to make the bets, it's all fair game?

Seems odd

[Retired Chemist]

He should have been able to make a lot more than that. Of course, greedy criminals get caught, but he got caught anyway. Also, why do senior executives have critical data in what were apparently publicly available mailboxes. Shouldn't they have separate accounts for business-critical information and contact with the public?

Re:

[Entrope]

These mailboxes were not "publicly available". They were in "the cloud", which means somebody else's inconsistently secured servers.

Re:

[gweihir]

You expect "senior executives" to have a clue? What world do you live in?

Re:

[Retired Chemist]

The one where their personal assistants keep them from making fools of themselves.

how was it done

[ZipNada]

I sounds like a relatively unsophisticated hack, and from the article it was only in 2019-2020 (Covid years?). Maybe the vulnerability was fixed thereafter?

"He pulled off the breaches by abusing the password reset mechanism Microsoft offered for Office365 accounts. In some cases, Westbrook allegedly went on to create forwarding rules that automatically sent all incoming emails to an email address he controlled."

Re:

[Baron_Yam]

I was still seeing 365 accounts compromised just a few months ago, though by different means. The final step of adding rules to the Inbox to prevent warning signs from reaching the owner of the account remains the same, though.

Never use public WiFi.

Re:

[gweihir]

Public Wifi is entirely unproblematic if you SSH over it or at least use a VPN. Of course, doing anything worthwhile over insecure connections is the pinnacle of stupidity. Also typically forbidden by the IT people, unless some C-level nil wit overruled them.

Re:

[Randseed]

Public Wifi is entirely unproblematic if you SSH over it or at least use a VPN. Of course, doing anything worthwhile over insecure connections is the pinnacle of stupidity. Also typically forbidden by the IT people, unless some C-level nil wit overruled them.

Agreed totally. This stuff needs to be more on the app level (SSH, TLS, whatever). I've seen plenty of people who will gladly use a VPN, but run into problems that lead to them turning it off. You get Cloudflare harassment, sites block known VPNs, etc. There are clearly ways to avoid this, such as setting up a VPN at your home or office and using that and praying that it doesn't wind up blocked too. But that's beyond the abilities of the average "one-click and it just works" user. I've had sites that block

Re:

[gweihir]

Completely agree that using computers and networks securely is beyond the average user at this time. I have had blocks on some of my static-IP VMs, but the provider cleared these up within a day. Some blocklist operator did not get these were individual servers by different people. No problems since then. Never had any blocks on my static IP at home.

The indictment seems justified

[jenningsthecat]

After all, insider trading is for, you know, insiders. Can't have any of the un-moneyed riff-raff getting in on the action.

Sure Jan

[algaeman]

the Commission's advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking

I'm going to have to call BS on this. I guessing the guy got cocky and told someone about his exploits. His associate got pinched and turned the hacker over to get a deal. What advanced data analytics is going to find a complete outsider trader making $3.75M?

because only the 'right' sort of crook

[Growlley]

is allowed to profit by crime related to business and the stock exchange,