A Phishing Story: How to Steal $400MM from an RIA

In Search of Fidelity:
A Successful Phishing Transcript

I was recently hired by "Carlson Wealth" to perform a penetration test against their RIA.  The main priority was to discover sensitive/leaked data and to determine if it would be possible for an outside attacker to gain access to the PMS system so that theoretically we could affect trades/cashiering/etc. 

It should terrify you how easy it is. 

I went down the phishing route because I had already located a username and password that one of the firm’s employees used to access their custodian.  The username and password I collected was accidentally published publicly due to a misconfigured Office365 setting and a careless CCO. That is not uncommon. Additionally, the same username and password had already been published on the DarkWeb, so this was a highly sensitive area that I needed to investigate further because the same credentials were used for her email.

The usernames/pass was also tied to a rolling 2 factor authentication code that I need to access the PMS system – so that is what I went after.

It took less that 40 minutes to get access by phishing a firm employee.

(Shortened for readability. The firm and employees names have been changed to protect the guilty. I also bought Sharon lunch for having used her like I did. She was pretty upset that she had been so easily conned into giving away the keys to the kingdom.)

----------------------------
Call #1 -
I called Sharon @ Carlson as “Dave White”

Dave – Hi Sharon – I am interested in opening an account with you folks. If I do, where do you keep my money.

Sharon – We use Fidelity as the custodian for our accounts.

Dave – Ah! Fidelity! I already have an account with them, so great. My current advisor uses them, so will it be an easy transition if I move my accounts? Since the accounts are already there, how do I switch them over to be managed by your firm?

Sharon – It is pretty easy. I will send you some paperwork to fill out and then I will fax those up to Fidelity.

Dave – Excellent! And in the mean time I can email you my PDF statement so that you can get the ball rolling with onboarding

Here, I am setting Sharon up to open a PDF containing key-logging malware that I will send her if need to get access that way. At this point, I am still not sure how I am going to get into the system so I am planting this seed. This is a great option as I have yet to have an advisor not open a malicious PDF when they think there is inbound assets coming.

Sharon – Sound great. My email address is……….

Dave – Great. I will send that over soon.

Now, I must do some more research to figure out how I will get in.  So I call another advisor that is completely unrelated to the firm.
---------------------------------------
Call #2 –
I called ABC Wealth Management ..another firm that I found uses Fidelity so that I can get some background information on how Fidelity operates.

The phone was answered by a young lady named Allison.

Dave – Hi Allison you might not be the right person and I am sorry for the distraction, but I am hoping you can help me out. I am a movie director and I am working on a film and I am needing someone to interview for my project. The film involves an investment firm that experiences a cyber attack and looses the clients money. I need someone’s expertise to make sure my movie fits the real life scenario since I know little about cybersecurity. I know you are very busy, but would you perhaps have a few minutes to answer some simple questions for my project?

Allison– Sure, I would love to help. What kinds of questions do you have?

Dave – Well, I know what it means to balance a portfolio. That means sometimes you have to sell some holdings and buy others to make the portfolio balance. I get that. But what I don’t understand is HOW do you make the trades in those portfolios.

Allison– Well...it’s really not that complicated....


(Allison goes on for 15 minutes telling me everything I need to know about how she uses Fidelity’s Wealth Central system. She explained how they access the portfolios, how they access the systems, how they open new accounts, their reports, how they protect the information using 2fa, what kind of 2fa they use...everything. I lead her along with questions and I didn't ask any personal or firm related questions to keep her from getting suspicious. After taking detailed notes on Fidelity, it was time to call Sharon back.
-------------------------
Call #3 –
I called Sharon once more. This time as Chris Johnson, a customer service rep from Fidelity’s Wealth Central asking Sharon if she had a few minutes for a survey.

Chris - Hi Sharon – This is Chris Johnson with Wealth Central. I am conducting a customer satisfaction survey and wanted to see if you had 2 minutes to answer some questions about your satisfaction with our service. We are sending all respondents a coupon for a free lunch at Chick-fil-A.  Would it be OK if I ask you a few questions?

Sharon was happy to help…and sounded excited for the break in her routine.

Chris - First off, are you authorized on the Wealth Central Program?

Sharon - Yes.

Chris – Great!
Okay, what hours are you guys in the office?
How many employees dial into Fidelity?
How often to do call us?
Is there anyone in particular you like to talk to?
Did we ever fail to meet your expectations?
How is our response time?
Do you have any suggestions on how we can improve?

Sharon answers them all.

Chris: Thanks, Sharon. I really appreciate your help and your time. Let me save your answers real quick.

Chris – (Pausing….) Hmm...that is interesting.  Are you an authorized employee who can talk about your experience.

(Asked in a puzzled/questioning way, because victims are always happy to provide clarity or prove themselves right. It blinds them when you ask them to prove themselves)

Sharon– Yes, I am authorized on all accounts.

Chris – OK, that is strange because I don’t see your name listed on the account.

Sharon(acting somewhat insulted)– What! I have been here for 7 years and call Fidelity everday!

Chris – No doubt. This is a frequent problem and one of the side-reasons for my call. I want to make sure we have the most accurate records. Give me one second to get you added here.

(20 second delay….lots of typing in the background that Sharon can hear)

Ah yes….I see your authorization paperwork right here. Sharon Smith. I found it.  No problem. Let me get you added to the official record again. I'm not sure how it was removed because I see where you were authorized previously.  Can you please read me the current 6 digits from your 2FA device so that I can authenticate you are who you say you are?  With all the cybersecurity scares today, they make me authenticate everyone!

Sharon reads the digits as I type them into my login screen.

Chris - Sharon....can I tell you something secret?

Sharon - Yes?

Brian - This is Brian Hahn.

Sharon - (10 Second Pause to realize what just happened)  Shit.

The pentest is now over as I have gained full admin control of the entire firm’s $450MM portfolio in less than 40 minutes.

Sharon knew I was performing a pentest on her firm that month because she sat in during the initial meeting.  This firm also gets a A+ for their compliance cybersecurity training that they do quarterly....yet I couldn't have had an easy time phishing the firm's most confidential data in a matter of minutes.

Stay Vigilant!