Attackers Claim Identity of Financial NGO to Steal Sharepoint, Office Credentials

Investment brokers are the target of a new wave of socially engineered phishing attacks, warns FINRA.

A new phishing campaign is targeting investment brokers with fraudulent emails aimed at stealing their Microsoft SharePoint and Office credentials, by invoking the identity of a credible financial regulatory organization.

The “widespread, ongoing phishing campaign” is using emails that claim to be from specific officers at the Financial Industry Regulatory Authority (FINRA), in an attempt to direct investment brokers to give up their Microsoft Office or SharePoint passwords, according to a post on the organization’s website.

“These emails have a source domain name ‘@broker-finra.org’ and request immediate attention to an attachment relating to your firm,” according to the warning.

To enhance the perception that the emails come from a trusted source, attackers are signing off on the messages with names of actual FINRA officers, including Bill Wollman and Josh Drobnyk, according to the authority. FINRA is a non-governmental organization that regulates brokerage firms and exchange markets.

“In at least in some cases, the emails do not actually include the attachment, in which case they may be attempting to gain the recipient’s trust so that a follow-up email can be sent with an infected attachment or link, or a request for confidential firm information,” according to the advisory.

In emails with an attachment, it is usually a PDF file that directs the user to a website, where they are prompted to enter their Microsoft Office or SharePoint password, according to FINRA.

FINRA recommends that anyone who may have received one of the fraudulent emails and already entered their password, change it immediately. They also should notify security administrators or other officials at their firms of the incident.

“The domain of ‘broker-finra.org’ is not connected to FINRA and firms should delete all emails originating from this domain name,” the advisory said. “In addition, FINRA has requested that the Internet domain registrar suspend services for ‘broker-finra.org.'”

The authority also reminded people to verify the legitimacy of any email that seems suspicious email prior to responding to it or opening any of its embedded links or attachments.

While the campaign is not expressly related to new security risks that have emerged in the wake of the coronavirus pandemic, there have been a rash of new email campaigns that use a similar tactic, with attackers masquerading as officials from public health organizations like the World Health Organization (WHO). These are aimed at taking advantage of people’s interest in information about COVID-19.

One example of this was seen earlier in April, when spearphishing emails designed to spread the LokiBot info-stealing trojan were sent to targets using the WHO trademark as a lure. There were also findings reported in March about an espionage attempt on the organization itself. In that case, a malicious site was set up that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, in an attempt to gain a foothold within WHO and steal non-public information regarding vaccine research and the like.

In general, phishing attempts are up. In fact, there have been so many new email-based campaigns during the COVID-19 health crisis that cybercriminals are recycling and repurposing old phishing kits in an attempt to conserve resources to keep the wave of email-based, pandemic-related scams going.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.