home Security BCP The Nasdaq can be hacked in 10 minutes

The Nasdaq can be hacked in 10 minutes

Sep 25, 2013

This post is also available in: עברית (Hebrew)

Just 10 minutes could be sufficient for an attacker to hack the Nasdaq Stock Market, this was the alert sounded by Ilia Kolochenko, head of Swiss information security company High-Tech Bridge.

According to Security Affairs, the security expert repeatedly warned Nasdaq.com on the risk related to a cyber attack against this, most important stock exchange. The hackers could hit the financial world in various ways, targeting clients and trading platforms, as revealed a few months ago by security firm Group-IB. Hackers could steal sensitive data from victims Kolochenko warned, the expert also highlighted that the Exchange has done nothing to preserve the security of its customers.

“A good hacker can get full access to Nasdaq.com in a couple of days with the ability to do almost whatever he wants, such as push an announcement that Facebook shares have dropped 90%, [which] could cause havoc on the stock exchange…It is quite frightening when you think about it. I discovered these vulnerabilities in just 10 minutes with a Firefox browser without any special tools or software…What is shocking is their attitude and ignorance of notifications, especially taking into consideration their recent technical failure,” said Kolochenko.

The intruders could hack the Nasdaq website and gain complete control. Once compromised, cyber criminals could install malware, steal user’s browser history and cookies and perform phishing attacks. The warning arrived in concomitance with the Nasdaq’s trading stop caused, according official sources, by a “technical glitch” that shut it down for three hours on August 22nd.

According to many computer experts the incident could hide a scary truth, it could have been caused by a politically motivated cyber attack. It is not a mystery that the stock exchange is considered a critical infrastructure and for this reason is a target of state-sponsored attacks. Around the same time as the Nasdaq’s technical problem, the Syrian Electronic Army hit The New York Times’ website.

iHLS – Israel Homeland Security

Added to this, Kolochenko claimed that he was able to inject some code into the website without being detected. “This means anyone could inject arbitrary HTML code into Nasdaq.com to display a fake Web form demanding credit card numbers and other personal information or to inject malware to infect PC users. The only limit is the hacker’s imagination.”

While code injection is just a way to hack the Nasdaq, Kolochenko found another vulnerability that would allow hackers to hijack a Nasdaq.com website. The menace is also the same for employees of the stock exchange that could be easy victims of a spear phishing attack, Kolochenko sustains that another possibility to hack the Nasdaq is to send a unique link in a private message to Nasdaq technical support or administrators waiting for its click to steal confidential information from the victim’s browser.

The representatives of the Stock Exchange disagreed with Kolochenko’s allegations. “We take all information security matters seriously. We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets,” said the Nasdaq spokesman.