A Sydney IT consultant was given a three year prison sentence for insider trading and hacking the wifi network of Port Phillip Publishing (PPP), which provided ‘buy’ recommendations to investors.
The IT guy, Steven Oakes, was sentenced on Tuesday at the County Court at Melbourne for hacking PPP and insider trading following an investigation by financial market regulator ASIC into trades he conducted over four years between 2012 and 2016.
He sat outside PPP in a parked car and used a laptop to exploit vulnerabilities in PPP’s wifi network to acquire users' network credentials and would then use that information to remotely access the publisher’s ‘buy’ reports before the firm published them. PPP claims to have 200,000 subscribers to its email newsletters, which cover mostly ASX-listed companies.
Oakes used the information to unfairly profit on 70 occasions from shares he bought in 52 different companies that PPP had issued reports about, according to ASIC.
He would buy the stock a few days before PPP’s reports were published and sell them a few days afterwards, exploiting small price spikes caused by the publisher’s ‘buy’ reports.
Oakes was sentenced to three years prison but will be released after 18 months, after pleading guilty to 11 charges in total for insider trading and hacking offenses. He was initially charged with 43 computer offences, 70 insider trading offences, and two charges relating to him wiping evidence from an iPhone and laptop he was asked to produce by ASIC investigators.
ASIC investigators Peter Ridgley and Anthony Vardy shared some extra technical details in an ASIC podcast published today.
Oakes had researched hacking techniques and exploited some vulnerability in wifi systems that were publicly disclosed at some point prior to his activities.
Multiple major wifi vulnerabilities have been discovered in recent years, such as KRACK, which was disclosed publicly in 2017 and could expose user credentials to an attacker on a vulnerable network. In December 2011, US CERT warned that an attacker within wireless range could exploit a flaw from multiple popular routers to gain a password for the wireless network.
Whatever the exact flaw Oakes used, he had been sitting outside PPP’s offices in a vehicle at the outset and used his laptop to hack its secured wifi network. He then used a man-in-the-middle (MITM) attack to grab passwords PPP's information systems.
“Then he uses what’s known as a man-in-the-middle attack. Doing this, he can intercept the communications that are sent over the wifi network at the time and then get information like usernames and passwords from people using the wifi,” explained Ridgley.
“With this information he could log into the computer network pretending to be one of the proper users. And he hit the jackpot. He got the credentials of a user who had access to pretty much everything in the network.”
“Once he did this, he could locate and read the unpublished reports on stocks with buy recommendations.”
Because of PPP’s popularity with investors he could exploit the predictable impact of small spikes in a stock’s price after the ‘buy’ recommendation newsletter was published.
The “red flag” for ASIC investigators was Oakes’ repetitive purchases a few days before PPP’s report and sales of them a few days after the reports were published.
“It’s come to ASIC’s attention through our market surveillance system. What is making us think he’s not just lucky is the pattern of his trading and the time of his buys. Just before Port Phillip Publishing has published reports. It seemed like more than just a coincidence,” said Ridgley.
Of course, once Oakes had the PPP passwords he needed, he no longer needed to sit outside PPP’s offices, near its wifi network.
“He could log into the network from anywhere… just like any other user,” said Ridgley.
He made about 6.5 percent profit off of the shares he sold and a total profit of more than $220,000.
Oakes hit a roadblock after an IT systems upgrade at PPP that prompted its users to change their passwords, but it didn’t actually stop him because some users didn’t change their passwords, as recommended by PPP.
“He was probably able to see staff being asked to change their passwords. It seems some staff didn’t change their passwords when they should have,” said Ridgley.
ASIC investigators used its investigatory powers to demand Oakes produce computer devices with suspected evidence on them. However, he wiped the devices, which is a criminal offence under Australian ASIC law, after claiming to investigators that he didn’t have any evidence to produce. He produced a blank iPhone and a laptop.
“It’s pretty suspicious,” said fellow ASIC investigator, Vardy.
Vardy said investigators were able to recover enough information that showed Oakes had done “some interesting internet searchers about hacking” and had some files related to his insider trading, which he had saved elsewhere but had deleted from his laptop that ASIC could nonetheless prove came from his devices.