The securities firms that reported the breach have not confirmed the means by which accounts were accessed, but the Investment Dealers Association (IDA) pointed to pharming Web sites as another possible avenue.
Only two accounts were affected, although the IDA said it was alerted by a U.S. regulator about a similar situation that happened there.
“In the instances reported to the IDA, client portfolios were sold out,” the warning notice posted on the IDA Web site says. “The credit was then used to place buy orders for specific securities listed on the OTC Bulletin Board or NASDAQ pink sheets.”
IDA vice-president of enforcement Alex Popovic said it was the first time the association has been notified of a security breach involving the online accounts of its member institutions. “The security of the account system itself wasn’t compromised,” he said. “There’s encryption you would need to get past to get in, but the weak point is the person that accesses it – if they have somehow disclosed their password.”
Vince Hwang, group product manager at Symantec Security Response, said some criminals use a combination of phishing e-mail messages and vulnerabilities in Microsoft operating system environments to download malicious software that can record keystrokes or find other ways to get into a system. In general, the attacks are becoming more sophisticated because the motivation is financial gain.
“They’re taking the time to craft these socially engineered messages,” said Hwang. Some pharming Web sites may in fact take users to the legitimate secure area of a financial institution’s Web site first but include an additional link to verify status.