Schemers Pose as FINRA Officers to Illegally Obtain Microsoft Office and SharePoint Passwords

Cybercriminals are on a constant lookout for security cracks, through which they could invade systems. While some of them do not care much about what kinds of systems are attacked, there are hackers who have very specific targets. Of course, in such a situation, they are likely to perform much more targeted attacks. FINRA (Financial Industry Regulatory Authority) in the United States is one of the more recent victims of a targeted cyberattack. Unfortunately, such attacks are much more likely to be successful and lucrative because it is one thing to invade a system that belongs to a regular user, and it is a completely different thing to take over a system that, quite possibly, could give access to the entire network or to extremely sensitive information.

How did cybercriminals attack FINRA?

There are plenty of attack methods that cybercriminals can choose from, but it seems that phishing is the preferred one in most cases. As discussed in our previous report, spearphishing occurs when attackers target “specific users with customized messages.” Spearphishing attacks are not used for gathering private data and passwords alone. They can be used to, for example, spread malware during the COVID-19 pandemic. The cybercriminals behind the FINRA attacks, however, seemed to have been interested in gathering Microsoft Office and SharePoint passwords specifically. To achieve that, they created a very smart and deceptive phishing scam.

According to the FINRA security notice, phishing scam emails targeted at specific people within the organization started flooding at the beginning of May. All of them were sent from the “@broker-finra.org” domain, and while it might seem legitimate to those outside the organization, the insiders should know that it has not an organization-linked domain. Unfortunately, when we receive emails, we do not always look at the sender’s email address. Instead, we focus on the subject line, the message, and the signature attached to it. Here is a sample of a phishing scam email that FINRA has shared in its security notice. The subject line reads “Subject: Action Required: FINRA Broker Notice for [Firm Name].”

Dear __,

I hope you are well and keeping safe.I have been asked to send the attached document for [Firm Name] to you. They require immediate attention.This is important and needs to be attended to before the end of this week.Please let me know if you have any questions.

Kind regards,

Bill Wollman

Vice President, Head of Office of Financial and Operational Risk Policy

Needless to say, this is not the kind of email that is obviously fake. The subject line makes sense. There are no grammatical mistakes. The message does not seem suspicious. Also, it is signed by Bill Wollman, who actually is FINRA’s Executive Vice President, Office of Financial and Operational Risk Policy. Of course, fabricating subject lines, messages, and signatures to make the email appear more legitimate is possible, and, in fact, very easy to do. That being said, it is unlikely that people would randomly expect emails from and Executive Vice President, which is why the misleading phishing scam email was sent to specific recipients at FINRA. If a recipient did not realize that the message was sent from a bogus @broker-finra.org domain, they might have clicked the attached document without suspecting an issue; unless, of course, receiving the email from a signed person was unusual activity.

According to the security notice, some samples of the phishing scam email did not contain attachments, and it is believed that this could have been a clever way to trick targets into requesting the malicious files themselves. In other instances, a file that looked like a PDF was attached to the misleading email. Recipients who opened the file were redirected to websites that requested Microsoft Office and SharePoint passwords. It is not clear what kinds of goals the attackers might have had with this phishing scam, but it is obvious that if they successfully obtained Microsoft Office and SharePoint passwords, they could have taken over personal accounts of FINRA members. This could have given them access to sensitive information and systems, which is why victims of the FINRA phishing scam MUST replace their passwords.

How to change passwords and ensure security in the future

If you have become a victim of the FINRA phishing scam, it does not matter whether your password was weak or strong. However, it matters whether you have reused it on different platforms. Unfortunately, some studies have shown that up to 41% of people reuse the same password on not just multiple but all accounts. Even if that one password is strong, long, and complex, it takes one data breach or one careless login, and all accounts are exposed. This is why it is NOT enough to create complicated passwords. They also need to be unique in every case. If you have revealed your Microsoft Office and SharePoint passwords because of the FINRA phishing scam, and these passwords have been reused, remember that it is not enough to just switch the Office and SharePoint passwords.

Do you know how many passwords you use? It might be hard to keep track of them all, especially if you do not use certain accounts daily. If you reuse the same combination over and over again, it is unlikely that you would ever forget it, but even if you use simple passwords on all accounts, you could forget them or mix them up. We do not believe that users should ever compromise their virtual security for convenience, which is why we recommend employing the reputable Cyclonis Password Manager, a tool that can automatically generate extremely complex, unique passwords, keep them stored in a secure vault, and help you make changes quickly in case data breaches occur.

Besides changing the password, it is also important that you enable 2FA (two-factor authentication) for your accounts. At the very least, the most important ones. 2FA acts like a chain lock that cybercriminals cannot get past even if they have the key, i.e., the password, which is why it is imperative that you set it up. Whether or not you have been affected by the FINRA phishing scam, you should follow the instructions below to set up a strong Office password and add 2-step verification.

How to change Office password and add 2-step verification

  1. Go to login.live.com/login.srf? and Sing in.
  2. In the menu at the top, click Security.
  3. Click the Password Security tab.
  4. Enter the verification code.
  5. Change the password and click Save.
  6. Back in the Security menu, click the More security options tab.
  7. Click Set up two-step verification.
  8. Click Next and follow the on-screen steps.
By Foley
July 22, 2020
July 22, 2020

Leave a Reply