The US Financial Industry Regulatory Authority (FINRA) has issued a regulatory notice warning US brokerage firms and brokers of an ongoing phishing campaign using fake compliance audit alerts to harvest information.
FINRA (Financial Industry Regulatory Authority), a non-profit organization supervised by the Securities and Exchange Commission (SEC), is the regulator for all US exchange markets and securities firms.
The non-governmental securities regulator supervises over 624,000 brokers across the nation and examines billions of market events daily.
Fake audit notifications used as bait
The financial regulator says that the phishing messages are being sent from finra-online[.]com, a recently registered web domain spoofing a legitimate FINRA website.
Attackers send fraudulent emails from supports@finra-online.com using the FINRA Membership sender name, adding legitimacy to the phishing messages by making them look like they were being sent from an official FINRA email address.
“The email asks the recipient to respond to an issue of ‘regulatory non-compliance for which your immediate response is required’ and then asks the recipient to click on a link or document,” FINRA explains.
“FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident.”
Since the finra-online[.]com domain is not connected in any way with FINRA, member firms are asked to delete all emails received from this domain immediately.
The domain used in these ongoing phishing attacks was registered just two days ago, on March 3rd, using the NameCheap domain name registrar.
WHOIS domain data does not provide any information on the identity of those who registered the phishing domain since all the personal info is redacted using WhoisGuard, NameCheap’s privacy protection service.
FINRA has reached out to NameCheap and has requested that all services for the finra-online[.]com domain be suspended.
“FINRA reminds firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links,” the regulator adds.
Phishing targets US brokers
While FINRA rarely issues such regulatory notices, the regulator has published four of them last year, with two of them informing of phishing attacks targeting brokers’ information.
One of them, reported during December 2020, warned brokers of similar phishing attacks using another domain (invest-finra[.]org) that spoofed a legitimate FINRA website.
In October, another notice alerted member firms of widespread phishing attacks using surveys to harvest sensitive information.
The stock regulator also alerted members of threat actors using a copycat site hosted at finnra[.]org with a fake registration form for collecting personal info later to be used in spear-phishing attacks directed at FINRA members.