Crooks Made Millions By Breaking Into Execs' Office365 Inboxes, Feds Say (arstechnica.com) 30
An anonymous reader quotes a report from Ars Technica: Federal prosecutors have charged a man for an alleged "hack-to-trade" scheme that earned him millions of dollars by breaking into the Office365 accounts of executives at publicly traded companies and obtaining quarterly financial reports before they were released publicly. The action, taken by the office of the US Attorney for the district of New Jersey, accuses UK national Robert B. Westbrook of earning roughly $3.75 million in 2019 and 2020 from stock trades that capitalized on the illicitly obtained information. After accessing it, prosecutors said, he executed stock trades. The advance notice allowed him to act and profit on the information before the general public could. The US Securities and Exchange Commission filed a separate civil suit against Westbrook seeking an order that he pay civil penalties and return all ill-gotten gains. [...]
By obtaining material information, Westbrook was able to predict how a company's stock would perform once it became public. When results were likely to drive down stock prices, he would place "put" options, which give the purchaser the right to sell shares at a specific price within a specified span of time. The practice allowed Westbrook to profit when shares fell after financial results became public. When positive results were likely to send stock prices higher, Westbrook allegedly bought shares while they were still low and later sold them for a higher price. The prosecutors charged Westbrook with one count each of securities fraud and wire fraud and five counts of computer fraud. The securities fraud count carries a maximum penalty of up to 20 years' prison time and $5 million in fines The wire fraud count carries a maximum penalty of up to 20 years in prison and a fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. Each computer fraud count carries a maximum five years in prison and a maximum fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. "The SEC is engaged in ongoing efforts to protect markets and investors from the consequences of cyber fraud," Jorge G. Tenreiro, acting chief of the SEC's Crypto Assets and Cyber Unit, said in a statement. "As this case demonstrates, even though Westbrook took multiple steps to conceal his identity -- including using anonymous email accounts, VPN services, and utilizing bitcoin -- the Commission's advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking."
By obtaining material information, Westbrook was able to predict how a company's stock would perform once it became public. When results were likely to drive down stock prices, he would place "put" options, which give the purchaser the right to sell shares at a specific price within a specified span of time. The practice allowed Westbrook to profit when shares fell after financial results became public. When positive results were likely to send stock prices higher, Westbrook allegedly bought shares while they were still low and later sold them for a higher price. The prosecutors charged Westbrook with one count each of securities fraud and wire fraud and five counts of computer fraud. The securities fraud count carries a maximum penalty of up to 20 years' prison time and $5 million in fines The wire fraud count carries a maximum penalty of up to 20 years in prison and a fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. Each computer fraud count carries a maximum five years in prison and a maximum fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. "The SEC is engaged in ongoing efforts to protect markets and investors from the consequences of cyber fraud," Jorge G. Tenreiro, acting chief of the SEC's Crypto Assets and Cyber Unit, said in a statement. "As this case demonstrates, even though Westbrook took multiple steps to conceal his identity -- including using anonymous email accounts, VPN services, and utilizing bitcoin -- the Commission's advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking."
Crooks? (Score:2)
Thomas Crooks?
Coconspirators?
Why would he buy puts or go long instead of buying calls?
Strange case.
Re: (Score:2)
Also seems to be really easy (Score:2)
I mean, MS does not even get the log-in right, like the bloody amateurs they are. (You should never give feedback whether the password or the 2nd factor was wrong, because that allows guessing the password...). Looks like "standardizing" on 2nd rated and worse solutions is a costly thing.
Re: (Score:2)
MS allows you to guess the password without having the second factor. That is abysmally bad and fundamentally incompetent design as it dramatically reduces the strength of the authentication mechanism. You are clueless.
Third parties (Score:3)
Re: (Score:2)
it could have just as easily been someone at Microsoft with inside knowledge of almost every corporation out there.
It might still be; who knows how many have access and sell the info instead of using it to have suspiciously good luck in the stock market.
Re: (Score:2)
it could have just as easily been someone at Microsoft with inside knowledge of almost every corporation out there.
It might still be; who knows how many have access and sell the info instead of using it to have suspiciously good luck in the stock market.
Indeed. Also, there may well people that understand how to actually run such an attack. The trick is to never be so "lucky" as to stretch credibility. Yes, that requires actual smarts and an ability to control your greed.The asshole from the story obviously does not have these. You also need to stop doing it after a short while and go back to regular trading effectiveness. Financial anomaly detection has gotten very good, because all these attack have happened before in some form or other.
Re: (Score:2)
Re: (Score:3)
Do not use exchange. It is a crappy product with a crappy history, whether cloud or on-prem. There are excellent alternatives out there with very good security histories. Anybody excusing the crappiness of Microsoft products with "Nothing else can realistically be used!" is part of the problem and simply incompetent.
Re: (Score:2)
Re: (Score:2)
I said it from the beginning. Why would anyone entrust sensitive corporate data to any third party vendor?
Greed, incompetence, arrogance, stupidity, follow-the-hype and inability to listen to experts. You know, typical CEO characteristics.
Scumbag. (Score:2)
Acting just like a Congressman.
Our old friend "wire fraud" (Score:2)
At this point, the government's use of "wire fraud" to charge suspects of crimes is just so nebulous that it might as well be replaced by a more generic law called "illegal activities".
Re: (Score:2)
Insider Feds (Score:1)
The arrogant irony of the “Feds” going after someone for doing what Nancy Pelosi defended as a fucking job perk for congresscritters, astounds me. Corruption has swung from nooses for less.
What are the names of the victims? (Score:2)
A gambler in a casino obtains information that allows him to bet high when he should and bet low when he should. Other gamblers always had the option to refuse to call his bet.
Which people were forced to purchase shares from him or forced to sell shares to him? Which participants in the speculative casino known as the Stock Market did not agree to buy or sell at the price offered during the transaction, in an attempt to hopefully sucker him into selling too low or buying to high, so they could in turn later
Re: (Score:2)
>> Which people were forced
People who bought the options he sold while he had access to the insider-grade information. Information which he stole. Clearly criminal.
Re: (Score:2)
Get some minimal information how a financial system works and how it fails. There is a reason insider trading is a very serious crime.
Seems odd (Score:2)
Re: (Score:2)
These mailboxes were not "publicly available". They were in "the cloud", which means somebody else's inconsistently secured servers.
Re: (Score:2)
You expect "senior executives" to have a clue? What world do you live in?
how was it done (Score:2)
I sounds like a relatively unsophisticated hack, and from the article it was only in 2019-2020 (Covid years?). Maybe the vulnerability was fixed thereafter?
"He pulled off the breaches by abusing the password reset mechanism Microsoft offered for Office365 accounts. In some cases, Westbrook allegedly went on to create forwarding rules that automatically sent all incoming emails to an email address he controlled."
Re: (Score:2)
I was still seeing 365 accounts compromised just a few months ago, though by different means. The final step of adding rules to the Inbox to prevent warning signs from reaching the owner of the account remains the same, though.
Never use public WiFi.
Re: (Score:2)
Public Wifi is entirely unproblematic if you SSH over it or at least use a VPN. Of course, doing anything worthwhile over insecure connections is the pinnacle of stupidity. Also typically forbidden by the IT people, unless some C-level nil wit overruled them.
Re: (Score:2)
Public Wifi is entirely unproblematic if you SSH over it or at least use a VPN. Of course, doing anything worthwhile over insecure connections is the pinnacle of stupidity. Also typically forbidden by the IT people, unless some C-level nil wit overruled them.
Agreed totally. This stuff needs to be more on the app level (SSH, TLS, whatever). I've seen plenty of people who will gladly use a VPN, but run into problems that lead to them turning it off. You get Cloudflare harassment, sites block known VPNs, etc. There are clearly ways to avoid this, such as setting up a VPN at your home or office and using that and praying that it doesn't wind up blocked too. But that's beyond the abilities of the average "one-click and it just works" user. I've had sites that block
The indictment seems justified (Score:3)
After all, insider trading is for, you know, insiders. Can't have any of the un-moneyed riff-raff getting in on the action.
Sure Jan (Score:2)
the Commission's advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking
I'm going to have to call BS on this. I guessing the guy got cocky and told someone about his exploits. His associate got pinched and turned the hacker over to get a deal. What advanced data analytics is going to find a complete outsider trader making $3.75M?