The United States Financial Industry Regulatory Authority (FINRA) has warned brokerage firms of a phishing campaign used by hackers to install malware on employee devices.
The cybercriminal designed the emails to appear as if they were sent by a staff member of a credit union. As with many phishing campaigns, the emails contained a fake “urgent” message, this time pretending to alert the brokerage firm to potential money laundering by one of their clients.
FINRA is a private not-for-profit organisation that is authorised by Congress to protect and regulate the broker-dealer industry. Several brokerage firms notified the organisation of suspicious emails sent to staff members, and FINRA cautioned the industry of the potential risk of opening any suspicious emails.
The hacker included several elements to make the emails appear legitimate. For example, the hacker pretends to be a BSA-AML compliance officer at a legal Indiana-based credit union. The message body states that an attached document contains details of the suspected money laundering activity, a financial transaction made by one of the firm’s clients to the credit union and that the credit union has placed a hold on the transaction due to suspected money laundering. The hacker even includes a reference to the US Patriot Act, an unusual detail that was likely to lull the recipients of the email into a false sense of security.
FINRA’s announcement contained no specific information about the type of malware embedded in the documents. FINRA advises that all brokerage firms proceed with caution as malware of any type poses a severe security threat. For example, if the hacker used keylogger malware, the hacker could record an employee’s keystrokes and harvest login credentials. The hacker could use Trojan malware to install more malicious malware, such as malware to gain access to an infected device, at a later date.
There are several clues which indicate that this is a fake email. Although the hacker spoofs a legitimate USA credit union, the email address used in the scam is registered in Europe. As with many phishing campaigns, the hacker has a poor command of English, and the email is full of grammatical errors. Furthermore, the hacker includes no information about the transaction or the client in the body of the email, as would be expected for a legitimate email of this nature. The email insists that an attachment must be opened for the recipient to gain access to the information. Many phishing campaigns deliver malware through email attachments, so an email urging a user to open an attached document should be a warning sign.
FINRA recommends that employees should never open emails from unfamiliar senders. Alternatively, if they do open emails, never follow links embedded in the email or open attached PDF files or images. If they do accidentally click a link in an email or open an attachment, they should be encouraged to contact the IT department as quickly as possible and disconnect their device from the network to try to mitigate the damage. The IT department can assess if the hacker has acquired unauthorised access to the system. They can also tell the rest of the organisation of the potential breach so that others can be vigilant for similar scams.