Attackers impersonate US self-regulatory body for brokerage firms in phishing email campaign that looks to harvest Office and SharePoint passwords
A US regulatory organisation has warned of a “widespread, ongoing” phishing campaign targeting financial services firms.
FINRA, the Financial Industry Regulatory Authority, is a non-governmental organisation that acts as a self-regulatory body for member brokerage firms and exchange markets.
The group said its members are currently being targeted by phishing emails purporting to be sent by FINRA officers including Bill Wollman and Josh Drobnyk, two of FINRA’s vice presidents.
The emails are sent from email addresses ending in @broker-finra.org, a domain name FINRA warned is not affiliated with the organisation.
The emails ask for the recipient’s immediate attention to a document relating to the firm, with some including a malicious PDF.
The PDF includes a link that directs users to a website, where they are asked to enter their Microsoft Office or SharePoint password.
Some emails don’t initially include the document, a tactic apparently intended to throw the target off-guard.
“In at least in some cases, the emails do not actually include the attachment,” said Dave Kelley, FINRA’s director of member supervision specialist programmes, in an advisory.
“They may be attempting to gain the recipient’s trust so that a follow-up email can be sent with an infected attachment or link, or a request for confidential firm information.”
The campaign is ultimately aimed at obtaining Office or SharePoint passwords, Kelley said.
“FINRA recommends that anyone who entered their password change it immediately and notify the appropriate individuals in their firm of the incident,” Kelley said.
He added that FINRA recommends members to “verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links”.
FINRA says it oversees the activities of more than 634,000 registered brokers.
Last week security researchers warned of a highly convincing phishing campaign using imagery from automated Microsoft Teams notifications in attacks that aim to steal Office 365 credentials.
The phishing emails mimic the appearance of Microsoft Teams file share and audio chat notifications and had initially reached up to 50,000 users, said Abnormal Security.
Microsoft Teams, like other groupware applications, has seen a huge spike in usage in recent weeks due to coronavirus lockdowns around the world.