From http://www.infozine.com/news/stories/op/storiesView/sid/21633/

A few snippets from the article:

“A federal grand jury in Omaha, Neb., has indicted three individuals on charges of conspiracy, fraud and aggravated identity theft stemming from a high-tech, international fraud scheme designed to hijack online brokerage accounts for profit…”

“As part of this ongoing investigation, at least 60 customers and nine brokerage firms in the United States and elsewhere have been identified as victims, with one of the brokerage firms reporting more than $2 million in losses. Today’s case marks the first time that individuals have been arrested overseas in connection with an online brokerage intrusion scheme perpetrated in the United States. “

Bravo for catching these guys, but I’m frankly surprised that it’s the first time an overseas arrest has happened for this kind of activity! Does that mean everyone else who has done it, has gotten away with it?

Here’s what they actually did. Smells like XSS flaws were involved but the article doesn’t say.

“Hack, Pump and Dump” Scheme

“In one of many examples alleged in the indictment, Marimuthu placed orders on Aug. 28, 2006, through his personal online brokerage account, to purchase 32,000 shares of stock in a company at prices from $2 to $3.20 per share. Chockalingam also placed an order through his personal online brokerage account to purchase 450 shares of the same stock for $3.20 per share.”

“The same day, the defendants gained unauthorized access to the online brokerage account of an unsuspecting investor. According to the indictment, the defendants used this account to illegally acquire 26,000 shares of the same stock at prices from $2.84 to $3.40 per share, causing the stock’s trading volume to rise to more than nine times its 15-day average.”

“Marimuthu then placed an order to sell 1,500 shares of the same stock from his personal online brokerage account at five dollars per share. This was one of at least 22 sell orders for this stock placed in Marimuthu’s personal online brokerage accounts between Aug. 28, 2006, and the morning of Aug. 29, 2006. These transactions allegedly resulted in the sale of 30,700 shares of this stock, yielding a substantial profit for the defendants over the course of just a few hours. The defendants used this type of scheme with various stocks between July and November. 2006.”

This was a creative way to apply hacking to the “pump and dump” stock scam. Fortunately the miscreants have been caught (except for one) and are being prosecuted.

I suspect it was a combination of phishing and XSS which was used to compromise the accounts. As the court cases unfold, I’m going to follow this because I am very curious to find out about how they were caught.

-Adam