PG - (In)Outsider Trading - Hacking Stocks Using Public Information and Influence - Richard Hocking

Richard Hawking within outsider trading hacking stocks using public information and influence thank you can you guys hear me okay thanks for coming to my talk first time speaking at b-sides so if I seem nervous it's because I am let's get straight into it I have a few slides to work through so my name is Richard Hawking work as a penetration tester at company called tell Space Systems based in Johannesburg some of my likes by passing logic breaking things like do some hex in I like to do some relaxing mostly with a piano Bry sometimes together right so what is this all about it's not a technical talk as such there's no days there's no lead stuff

it's specially more an idea of how our daily tasks as security analysts might help in other areas of normal life right so my idea came from a TV show called triptych early 90s Afrikaans TV show started watching it again for some comedic relief and one of the plots jumped out on me so there was company X started a massive bridge building project in China hackers would then break into news agencies and spread false news that the bridge collapsed at that but that would lead the stock price of company x to drop so with Larry Mize sub-conscience some beer discussions ensued only over one beer one of my mates is a stock trader you started talking basically it came out

that as security analysts our brains are formed and conditioned for spotting anomalies right we like analytics that's why we do stuff so the point is basically let's see if we can play the stock market game and maybe make some mad money in the process that's always good right so just some stock market basics I'm in no way a professional trader but basically you have short selling or going bearish on a stock the idea is you sell a stock because you think the price is going to fall and then you buy back later for a a profit right so the more it goes down the more money you make other part of that is going long bullish so basically that's

purchasing a stock hoping that the price will increase so that's where the term buy low sell high comes from okay so what influences stock prices so these are by no means the only things but this is what I saw so quarterly results announcements from companies which is required by law events massive mergers PR nightmares breaches new product launches all that can influence the stock market right and if you guys can tell me if the scare is going up or down I will definitely give you some stickers because I can't figure it out yeah yeah so there are some illegal ways of manipulating stock don't try this at home you will most definitely get locked up so sure you guys heard about the talk

talk bridge early to October 2015 160,000 customer credit card details got leaked because of that profits fell to fourteen million pounds compared to thirty two million pounds earlier that year and as you can see that's quite a big dip something interesting we saw when the one I cry ransom we sort of spreading it almost looked like the Bitcoin price started moving with that so as you can see at the first pointer that's when the first variant came out I think there was there was a 12th or 13th of May that was with the kill switch so as Bitcoin price went up a bit came down and the second variant came out just after that with the Nokia surge and it

looks like the winds up so we know that bitcoin is volatile it's just something that we did spots that's pretty interesting some news agencies reported that you want to cry ransom week the losses could reach four billion dollars that's not because of the ransomware themselves I don't think they made a lot of money out of that but basically that's because of the lost productivity the cost of investigations and the restoration of data something interesting we saw is that companies try to use their kidnap policies they insurance kidnap policies to recoup some of the one-electron losses the first thing that came to my mind was the insurance companies have certain reserves to power for their clients fraud so if these guys are

successful and the number of companies claim the insurance money the insurance companies reserves might deplete and that might cause some stock prices of the insurance companies to fall that's something that could be interesting to have a look at further out okay we all know fishing spear fishing so some techniques the guys use is spear fish a CEO CFO get internal emails get sensitive information use that to trade on so that is considered insider trading logs you from outside inside one of the good examples is the w-2 wage and tax statements so by mid-2016 over seventy US companies fell victim to this w2 phishing scam basically the mo was to spoof that of a CEO or CFO send an email

to the HR department asking for all the w-2 tax forms okay HR obviously always obliges send a nice little friendly smiley face on the email and basically they use that to to to tax rebates okay so they got the forms and did the rebate as well so they made money just out of the tax so there is some sort of a two-pronged approach now the example is Seagate so they were one of the companies that were hit by the w-2 phishing scam so the information for their current and past employees for 2015 were compromised their stocks dropped 3.5% each day the news broke and not only did the phishing campaign get money because of the

rebates it also got money out of the stock price dipping so that's a double cash back for one simple phishing campaign okay some legal ways paying for data strain cash add more cashes makes sense I guess okay so like we said quarterly results merge announcements and press releases or some of the things that influence a stock but investors are always looking for more information anything to get that edge on an indicator right just a quick shout out to Robert Lin Yao to the presentation Nick Cobra Levesque you got some awesome research on some legal paying stuff and Stemler to this and the Wall Street Journal okay so there's a company called chain scape they basically measure and

track the energy markets and they've got some fancy sophisticated tools recon six techniques they got some satellites they use AI and they'll also have choppers with infrared cameras maybe they'll have some shots with lasers later on I'm not sure so the u.s. consumes about 12 million barrels of oil a day eighty to ninety percent of that passes through Cushing Oklahoma these shoppers with infrared cameras would fly around all these tankers they would take photos of the storage tanks and they could predict sort of see the levels of those storage tanks James Koepp has predicted the Energy Information Administration their weekly announcements of those levels correctly for every week for the past four years so they just get

their chopped in there do the scans and the data that nobody also has right to hire these guys you do need about six figures though so it's not like I'm going to hire them okay so obviously these levels can give insights into the demand and these subsequent changes in the world price UBS investments they hire a company called remote sensing matrix which is a satellite imagery analytics firm so basically they took images of about 100 Walmart parking lots and by Counting the cause in the Walmart parking lots month in month out they could analyze and get a mathematical equation of the flow of customers based on that like we'd see if the revenue might increase or decrease

obviously see if the stock price might go up or down another one and I hope I pronounce this correctly Chipotle so there was a cholera outbreak in October 2015 everybody knew it's bad news right so we just wanted to figure out how bad it was really going to get so a company calls taken measure which is a credit card data analytics firm they say they ported with a variety of strategic partners and took some samples of sanitized credit card data so these transactions did not only show that Chipotle were losing customers quite dramatically but they could also see where the customers were going to instead so with this data you can short and buy at the same time and

make some double profits right okay so as analysts using what we have as Magatha would do it if he needs to make a bomb you can use a two speakers throw an avocado make some damage right so on all methodologies so discovery analysis exploitation and reporting very basic the thing where this is the first two steps they exactly the same do your discovery the urinalysis your exploit would literally be buy or sell and then the graded reporting would be cash I think every paint a store analyst would like to see some cash instead of writing a report right so some methods used by others the Foursquare API was used and abused by hedge fund managers they use

the chicken data for major retailers based based on the those trends they could sell the dates and make some profit out of the shares Foursquare since raised their price on the API usage quite a bit okay another one was sites that use auto incrementing use IDs with registrations they're registering monthly or weekly you can plot the differences in the registration numbers based on that you can see how many users are new on the system one of those was a Tubbs when they shifted to the Creative Cloud some somebody successfully traded on that auto incrementing ID okay so what we did basically back to basics go back to school I think everybody knows about Google Trends nothing new there just

interesting is if you do a search for the term iPhone you can see at every launch there's a big spike in searches and just by plotting that you can see there is a decline in the number of searches so the apple quarterly report that was released in October 2016 2016 showed that the iPhone sales dropped and the Shh dropped 2.6 percent on that news so something as simple as Google Trends give you some some form of indication we can also use reverse who is so find a domain or domains associated with certain registrant details that's useful in paint tests obviously start training as well so usually a new product equals a new domain name to be registered various

online services the all services we can continuously track per registrants any new domains that they register so is a monthly fee but it's definitely viable so when we started with a little POC we we wanted to see who can we track so we said we had a look at the Nasdaq and focused on companies with large and diverse portfolios and obviously was freaking frequent new product offerings so one of the companies was Coty don't ask me how he got onto that it's one of the world's leading beauty companies approximately nine billion in revenue with over seventy seven brands our triggers came up and it said Katy Perry Mad Love calm was registered that was on

the 31st of March 2016 so we had a look around we couldn't really see anything relating Katy Perry home Mad Love and on June the first of June we saw a tweet that Katy Perry was launching a new fragrance okay so with that news cody stock did go up a bit but essentially there was three months of lead time to make some decisions on that information so we wanted to see we didn't track Nintendo but we wanted to see with the Super Mario game if we had been tracking would be make some profit of that there was a massive launch share spike right quite dramatically right but the the interesting thing is that the day they

launched or said they were going to launch the game it's the same day that domain was created so somebody obviously in the backend knew not to leak any information beforehand so that was pretty cool after that we went a bit more local to South Africa so spur is a restaurant they also own a lot of restaurants as a holding company we started tracking them and we saw that there was a domain castle balla dining dots here on today which was registered the 8th of Feb 2016 was that couldn't see any news on any searches so from that news end of Feb they announced that they launching a new pizzeria which is Casa Bella on that the

price went up quite a bit and we had 20 days leads on so we could have actually made some profit there if we were actually trading and not just analyzing right okay another technique is DNS numeration so there are three thousand one hundred and fifty five companies listed on the Nasdaq of those four hundred forty nine are categorized as technology and I wonder how many technology companies allow for DNA zone transfers so if it was some sort of a software online provider it could definitely play with that so with the POC in hand I know DNA is entrances are legal in a few states some country so it's gonna be totally anonymous but we found a company

and we started doing whose errand transfers every month we could track how many servers they were adding internal and external so they're really bad for him but the good thing is they were all sequentially numbered so instead of doing Mad backflips and gripping we could just literally go and count the number of the records right so the oval increase in the servers that we saw leading up to the results announcements compared to the previous months obviously a clear indicator they're getting new customers I have to update server power for the new customers right so the quarterly earnings released in November 2016 saw the jump of approximately six percent on the back of the excellent news because of new cast

customers and that result was entirely predictable just from a DNS zone transfer okay so wrapping it up there is no guarantee for trading be it Osen being normal trading it's all about indicators it's all about target selection so it's difficult to set it up but I think once you have a good target you can definitely start started using it properly cool that's my talk thanks guys [Applause] okay we have about five minutes for questions they may have question I haven't checked the private registrations but I think because of the small amount they might be it'll be difficult to get that target first off right yeah so try and get a bigger target just to work and work your way

down thank you all for do kind of a quick example of one of the indicators that you might have researched that didn't pan out for you like a common misguided trading decision based on that probably 80% of them yeah so we didn't trade on this information we just analyzed but y'all it's difficult to find the right target it's yeah you really have to do some searching but it is viable right okay what was your most exciting or worst letdown like what would like did something like throw you know it's not really I think with our flags and ahhs nothing really put me down I think it just motivate anymore just to go deeper into it further companies but I think

obviously once you do choose the company or targets you to play with and they don't release new domains and it's all no under one like holding company does get difficult and irritating we are so once you do find a company that's that's also

sorry sorry if I wasn't able to tell this from the snapshots of the registers it looks like the companies that you found use like registrar masking basically how did you identify the companies themselves some of them do those were examples but a lot of them do just do it via their own company names so the local one I focused on more you could see that was a holding company which was registry okay exactly exactly yeah yeah so so look for like a holding company a big umbrella so trying to work away down here anybody else thank you oh there are intelligence companies to track what senders invest in because they tend to make more money

did you find any government hooks where you solve government data that it gave an indicator for the stock market like the you know the country's how that invest in this doesn't focus on government at all that's one thing that was a rabbit all didn't want to jump into that might get a bit weird that have you been following the DDoS attacks against some of the many Bitcoin exchanges not recently but yeah I definitely wanna have a look at that maybe take this research further hope you guys enjoyed it I thank you all for coming you can always follow up with our speakers on paralyzed after the event and we're gonna open up with our next

talk in about eight minutes