MTradecraft was recently hired to perform a penetration test against an RIA. Our top objective was to find any sensitive or leaked data from the company and assess if an external attacker could access the portfolio management software (PMS). We also aimed to conduct a human risk assessment to evaluate the effectiveness of our employee training program (there wasn’t one) by attempting to trick the employees into compromising their firm.
If we have access to the PMS and the custodian’s portal, we could potentially manipulate the trading and the cashiering processes to transfer client assets into our own accounts. A situation no firm wants to face.
It should terrify you how easy it was for us to destroy this firm.
For this particular attack against Sharon, I had already located a username and password that one of the firm’s employees used to access their custodian. The username and password, which I obtained, were mistakenly published on the firm’s website because of a wrongly configured Office365 setting. We discovered it using a set of “Google Dorks”. The CEO was also careless in not checking the “sharing” privileges for that specific document. This is a frequent problem, and in my experience, I generally look for such misconfigured sensitive documents when analyzing these types of attacks.
For this attack, I targeted “Sharon”. She caught my attention because she had identified herself as the “portfolio assistant” for the company on LinkedIn and was highly active on various social media platforms. Her PMS credentials were also on the document I was able to discover from my Google Dorks.
The company’s PMS requires 2-factor authentication for all users, which means that Sharon’s credentials are linked to a rotating 2-factor authentication code that I needed to obtain to access the PMS. Through phishing Sharon, I was able to gain access to the company’s PMS in less than a day. Please note that the names of the firm and employees have been altered or obscured to maintain confidentiality and to protect the guilty.
Call #1 – I dialed Sharon and said my name was Dave.
Dave – Hi Sharon – I am interested in opening an account with you folks. If I do, where do you keep my money?
Sharon – We use [REDACTED] as the custodian for our accounts.
Dave – Ah! [REDACTED]! I already have an account with them, so great. My current advisor uses them, so will it be an easy transition if I move my accounts? Since the accounts are already there, how do I switch them over to be managed by your firm?
Sharon – It is pretty easy. I will send you some paperwork to fill out and then I will fax those up to [REDACTED].
Dave – Excellent! And in the meantime, I can email you my PDF statement so that you can get the ball rolling with onboarding.
Note: Here, I am setting Sharon up to open a PDF containing key-logging malware that I will send her if need to get access that way. At this point, I am still not sure how I am going to get into the system so I am planting this seed. This is a great option as I have yet to have a client not open a malicious PDF when they think inbound assets just fell into their lap.
Sharon – Sounds great. My email address is [***@***.com)
Dave – Great. I will send that over soon.
Now, I must do some more research to figure out how I will get in. So I call another advisor that is completely unrelated to the firm but I have found uses the same advisor. This was conducted by researching the FOIA data that is released by the SEC each quarter. The Form ADV data gives us significant and intimate insights into how a firm operates. We have covered why this is extremely problematic for registered firms in several videos that you can find on YouTube.
Call #2 –
I called [REDACTED]…another firm that I found uses [REDACTED] as the custodian so that I can get some background information on how [REDACTED] operates.
The phone was answered by a young lady named Allison. Judging from her LinkedIn profile, Allison was around 24-26 years old, a recent graduate working her first job as a trade desk assistant in NYC. She was a film school dropout and she frequently posted her critiques of movies on numerous social media platforms.
Dave – Hi Allison you might not be the right person and I am sorry for the distraction, but I am hoping you can help me out for 5 minutes. I found you on LinkedIn and saw you went to film school which is why I am reaching out. I am a movie director and I am working on a film and I am needing someone to interview for some background. The film involves an investment firm that experiences a cyber attack and loses the client’s assets to North Korea. I need someone’s expertise to make sure my movie fits the real-life scenario since I know very little about cybersecurity. I know you are very busy, but would you perhaps have a few minutes to answer some simple questions for my project?
Allison– Sure, I would love to help. What kinds of questions do you have?
Dave – Well, I know what it means to balance a portfolio. That means sometimes you have to sell some holdings and buy others to make the portfolio balance. I get that. But what I don’t understand is HOW you make the trades in those portfolios.
Allison– Well…it’s not that complicated….
(Allison goes on for 15 minutes telling me everything I need to know about how she uses [REDACTED]’s PMS. I made sure to avoid asking any personal or firm-related questions to not raise suspicion and constantly referred to firm production. I took detailed notes on the operations at [REDACTED] and then called Sharon back.
Call #3 – I called Sharon once more. This time acting as Chris Johnson, a customer service rep from [REDACTED].
Chris – Hi Sharon – This is Chris Johnson with [REDACTED]. I am conducting a customer satisfaction survey and wanted to see if you had 4 minutes to answer some questions about your satisfaction with our service. We are sending all respondents a coupon for a free lunch at Chick-fil-A. Would it be OK if I ask you a few questions?
Sharon – Sure thing.
[Sharon was enthusiastic to help…and sounded excited about the break in her routine]
Chris – First off, I need to speak with someone who uses our system. Are you authorized to use the [REDACTED] PMS system?
Sharon – Yes.
Chris – Great!
-Okay, what hours are you guys in the office?
-How many employees dial into [REDACTED]?
-How often do you call us?
-Is there anyone, in particular, you like to talk to when you have service issues?
-Did we ever fail to meet your expectations?
-How is our response time to your issues?
-Do you have any suggestions on how we can improve?
[Sharon answers them all and is very pleasant and happy throughout. ]
Chris: Thanks, Sharon. I really appreciate your help and your time. Let me save your answers in my survey and get that gift certificate over to you in an email. One second, please…
Chris – (Pausing….) Hmm…that is interesting. Are you sure you are an authorized employee on [REDACTED]’s PMS system? I don’t see your name here.
[I Asked in a puzzled/questioning way because victims are always happy to provide clarity or prove themselves right when challenged. It blinds them when you ask them to “prove” themselves]
Sharon– Yes, I am authorized on all accounts.
Chris – OK, that is strange because I don’t see your name listed on the account.
Sharon(acting somewhat insulted and annoyed)– Well, there is something wrong there because I have been here for 7 years and call the [REDACTED] team every day; usually for several hours each day.
Chris – There is no doubt from me Sharon. This is a frequent problem and one of the side reasons for my call. I want to make sure we have the most accurate records so let me research and get that updated for you. Give me one second to get you added here. I am going to go and pull the physical paperwork from our archive and then get you added back in. I am so sorry for the inconvenience here.
Sharon – {laughs and sighs}
[I allow 45 seconds of no talking with lots of typing in the background. I have an extra loud mechanical keyboard that I use for this work to make sure the victim can hear. The overall goal here is to have Sharon swing from an agreeable state of mind, to a confrontational mindset, back to a passive mindset. Essentially, we want to wear her out mentally so that her guards go down on this call.]
Dave – OK, I see your authorization paperwork right here. Sharon Smith, right? I found it. No problem. Let me get you added to the official record again. I’m not sure how it was removed because I see where you were authorized previously. Honestly, It may have been a mistake I made when I pulled your record up so I am sorry for that. They call me “Fat fingers” with the way I accidentally delete records so thanks for your patience on this.
[20 second pause]
Dave – OK, all set. Let me get your 2FA code set back up now. Can you please read me the current 6 digits from your 2FA device so that I can get that added back in and synced with the system?
Sharon reads the 2FA code as I act like I am typing them into my login screen.
Chris – Sharon…?
Sharon – Yes?
Chris – This is Brian @ MTradecraft.
At that moment, I could sense Sharon became aware of the seriousness of the situation after a prolonged silence accompanied by a deep sigh indicative of her defeat and anxiety.
With that, the pentest was over and I had gained full control of the firm’s $748MM portfolio in less than a day. Having that 2FA code allowed me to access to firm’s PMS system and take a screenshot to prove I was there. Sharon was upset. She had just destroyed her employer.
Without proper cybersecurity threat training, this type of mistake happens frequently.
Background and Lessons here:
MTradecraft was hired to conduct a penetration test within a month’s timeframe, but the specific dates were not decided. Sharon initiated contact with MTradecraft to arrange an introductory call for the test, having also attended the initial meeting where it was specified that phishing tests would be carried out.
Sharon’s warning and knowledge were not enough to prevent the compromise of the client’s assets, as it was easy for someone to lift the 2FA codes. She admitted that she did not anticipate the attack and did not suspect anything during the phone call.
Two things ultimately lead to this epic and devastating compromise:
- The CCO had previously made a mistake and accidentally publicly published sensitive information using the “Share” features found within Office365. That led to the discovery of Sharon’s login and password information using a series of intelligence-gathering techniques known as “Google Dorks”
- Sharon did not follow basic cyber security hygiene that should be covered in the employee’s cybersecurity awareness training program. Sharon did not follow the basic principle of never giving your 2FA code to anyone. There is never an exception to this rule. Period.