'Man in the browser' and other cybercriminals target the unaware

From system infiltrators to social engineers, scammers seek access to advisory firms' weakest points of entry.
JUN 13, 2014
As the Securities and Exchange Commission increases its scrutiny of cybersecurity at advisory firms, experts are warning of growing threats from scammers who are exploiting both software and human weaknesses to attack adviser practices and client accounts. One new online scam, known as “the man in the browser,” gives hackers a direct connection from an infected victim's machine into a target organization. Attackers get into users' machines while they browse the web, and then set to work installing malware, according to Roel Schouwenberg, principal researcher at IT security vendor Kaspersky Lab. By exploiting weaknesses, hackers can take advantage of errors in programming, he said. “The man in the browser is the most sophisticated type of threat because it's the hardest to detect from an organizational point of view,” Mr. Schouwenberg said. Everything looks the same from the victim's end, both in the machine and the browser. And from the organization's point of view, the machine will look the same.” These threats are happening at the same time the SEC is stepping up its assessment of advisory firms' cybersecurity. The SEC posted a risk alert that lists areas it will consider as it examines more than 50 registered investment advisers and broker-dealers. The list includes software safety, business practices and employee training. To fight such threats, Mr. Schouwenberg recommended that firms make sure all software is up to date and to install monthly Microsoft patches routinely. He also warned that attackers are going after browser plug-ins such as Adobe Flash, Adobe Reader and Oracle's Java, and that advisory firms may want to provide software to clients that provides routine security checks. “We're at a groundswell point with information security,” said Chris Valenti, risk and quality information security liaison for First Clearing Correspondent Services. “What I've seen since I started as liaison several years ago is people going from awareness of threats to understanding threats and how to mitigate risks.” But another threat, called “social engineering,” comes in physical form. In these cases, criminals impersonate firefighters or alarm system salesmen to prey upon company officials who give them access to their computers in the belief that they are being helpful. Social engineers may first use a phone call, e-mail or Google search to create a plausible pretext — such as, “We've been alerted to a virus, and we need your password” or “We need to come into your office and check your computer” — to gain entry into an advisory firm, he said. Employee cybersecurity training is the best way to protect firms against such scams, he said. A First Clearing white paper notes that social engineering is a common method hackers use to target and exploit employees in order to gain entry into a firm's computer network. “A customer service organization can expose itself to security threats just by virtue of wanting to help customers,” Mr. Valenti said. “We might inadvertently help somebody breach our network. Social engineering is about getting into an organization by getting past its controls and having people do it for you. It's an old-fashioned con.”

Latest News

LPL building out alts, banking services to chase wirehouse advisors, new CEO says
LPL building out alts, banking services to chase wirehouse advisors, new CEO says

New chief executive Rich Steinmeier replaced Dan Arnold on October 1.

Franklin Templeton CEO vows to "do what's right" amid record outflows
Franklin Templeton CEO vows to "do what's right" amid record outflows

The global firm is navigating a crisis of confidence as an SEC and DOJ probe into its Western Asset Management business sparked a historic $37B exodus.

For asset managers, easy experience is key to winning advisors' businesses
For asset managers, easy experience is key to winning advisors' businesses

Beyond returns, asset managers have to elevate their relationship with digital applications and a multichannel strategy, says JD Power.

Why retaining HNW clients ultimately comes down to one basic thing
Why retaining HNW clients ultimately comes down to one basic thing

New survey finds varied levels of loyalty to advisors by generation.

Stocks drop as investors digest Microsoft, Meta earnings
Stocks drop as investors digest Microsoft, Meta earnings

Busy day for results, key data give markets concerns.

SPONSORED Out with the old and in with the new: a 50% private markets portfolio

A great man died recently, but this did not make headlines. In fact, it barely even made the news. Maybe it’s because many have already mourned the departure of his greatest legacy: the 60/40 portfolio.

SPONSORED Destiny Wealth Partners: RIA Team of the Year shares keys to success

Discover the award-winning strategies behind Destiny Wealth Partners' client-centric approach.