Using Social Media to Hack A Stock
May 14th, 2013
Needless to say, last month’s hack of the Associated Press’ official Twitter account caused lots of headlines. That incident, coupled with Syria’s pro-government forces’ recent Twitter attacks against CBS, NPR, and others shed light on the relative inadequacy of Twitter’s security mechanisms, specifically highlighting the need for Twitter to adopt multi-factor authentication as many of its consumer-oriented brethren have done in recent months, Apple in particular. (Supposedly, it is coming soon.)
Yet this story is about much more than Twitter, Internet security, or script kiddies (although check out the compromise of The Onion’s Twitter account and their subsequent explanation of how this occurred if you missed those!). In fact, I would argue that much of the mainstream coverage of these various incidents missed the more interesting point. Take the AP incident for instance. First of all, both the mainstream press and the capital markets-specific industry publications touted this as an indication that social media had officially “arrived,” which was patently absurd for anyone who hasn’t been sleeping under a rock for the past few years. Second, it’s not so much about sending the entire stock market into the tank as it is about the ability to influence one specific stock price and to gain handsomely from doing so! In fact, why not do so quietly and discreetly, far away from the limelight? Why even bother with well-known stocks on the Dow Jones or any other commonly discussed index or benchmark? Finally, while most of the coverage did a decent job of covering the Social Media bandwagon that the SEC created in April, it didn’t get into the fairly straightforward and obvious details regarding how a future attack on a specific stock could easily be executed – something critical for the industry to understand so they can plan for it accordingly in the future.
Most people know that “Pump & Dump” fraud schemes have been around for YEARS, even involving high school kids. For an excellent – and readable – history of Pump & Dump, I’d strongly recommend Chapter 11 in David Leinweber’s Nerds on Wall Street: Math, Machines and Wired Markets that originally appeared as an article in The Journal of Investing in mid-2001 co-authored by Leinweber and Ananth N. Madhavan. In it, the authors discuss how “the Web has also become the prime new venue for the old game of market manipulation” and cite numerous examples of how market manipulation has occurred (NEIP, Dutch coffee houses, PairGain, and others). They go on to say “Market manipulations do not go out of style. All that changes really are the details of how the rumors are spread and how bluffing is achieved. The key is communication technology, which allows more traders to be reached in less time.”
Pump & Dump’s lesser-known cousin, “Short & Distort,” can also be a powerful way to manipulate markets and make money illegally. So here’s my question … if you know that small-cap or mid-cap stocks (Pink Sheets might be too small and therefore too noticeable) are inclined to jump based on almost any news about these companies, then why wouldn’t a criminal intent on manipulating a specific security simply commit fraudulent manipulation by following in the footsteps of any number of well-known such activities that in fact have occurred many times before? Identifying a small-cap or mid-cap stock and then figuring out how to take over that company’s social media account in order to benefit from false “news” posted on the social media account by the criminal does not require such a wild stretch of the imagination if you look at some of the recent incidents mentioned above. After that it’s simply a matter of cha-ching and wiring the money using a money mule or laundering the money in some other creative way.
By the time the issue would be identified and resolved (especially if the money is being traded in multiple accounts at multiple firms and the criminal was smart about trading from different devices, IP addresses, etc.), it’s quite possible someone in another country and trading behind one or more false identities would be able to gather these manipulated “earnings” and disappear.
So this interesting combination of social media, regulatory flexibility, and information security leaves a gaping hole that regulators, investor relations professionals, corporate social media managers, and information security professionals need to be conscious of and to plan for.