A London-based man is facing extradition to the United States after allegedly masterminding a scheme to hack public companies prior to their earnings announcements and use the secrets he uncovered to make millions of dollars on the stock market.
39-year-old Robert Westbrook is said to have used genealogy websites to gather personal information about company executives, which he then used to break into their email accounts and steal confidential corporate data.
According to US authorities, on at least five occasions between 2019 and 2020, Westbrook
managed to reset passwords by correctly answer security questions and gained unauthorised access to the email accounts of high-ranking executives, including CFOs, chief accounting officers, and finance directors.
Once inside executives' Office 365 accounts, Westbrook is alleged to have set up rules to automatically forward messages containing sensitive information to anonymous accounts under his control - specifically targeting emails containing information about upcoming earnings announcements.
At one company, Westbrook is said to have attempted to create a rule that forwarded emails if they contained attachments, or were sent by the firm's president, or if they came from an external auditor.
This insider information, it is alleged, was then used by Westbrook to generate over $3 million by making profitable trades on the stock market before it became known to the general public.
Despite Westbrook's efforts to conceal his identity through the use of VPNs, anonymous email accounts, and cryptocurrency payments, his alleged scheme was ultimately uncovered by experts at the SEC.
According to reports, Westbrook is also said to have subscribed to at least five CAPTCHA-solving services to assist him in the scheme.
The alleged success fo using personal information gleaned from genealogy websites suggests that the executives at the hacked companies were not adhering to the best security practices.
You should never choose easy-to-guess or easy-to-find-out answers to secret “Forgot your password?” questions. If a website asks you to tell it information like the name of your pet dog, the town you were born in, or your date of birth, tell it a lie instead!
That's why I tell my mother's maiden name is "Xena Warrior Princess", and she gave birth to me in the city of "Uv6DNwO1XSBJ8KD."
Westbrook was arrested in the United Kingdom, with the intention of extraditing him to the United States to face charges of security fraud, wire fraud, and five counts of computer fraud.
If convicted on all counts, Westbrook could face up to 65 years in prison.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsDecember 19, 2024
November 14, 2024