FINRA warns Brokerage firms of phishing email spam campaign

  • The phishing emails targeting brokerage firms purport to be from a legitimate credit union attempting to notify the firms about potential money laundering.
  • These phishing emails also come with a number of other fraud red flags.

The Financial Industry Regulatory Authority (FINRA) has issued an information notice to alert brokerage firms on an ongoing phishing attack which currently targets its member firms with phishing emails.

The Financial Industry Regulatory Authority (FINRA) is a non-profit organization authorized by Congress that protects America’s investors by ensuring that the broker-dealer relationship operates smoothly and fairly.

Malicious email campaign

FINRA issued the phishing campaign warning after it received complaints from several brokerage firms stating that they have received suspicious emails targeting their compliance personnel.

“The email appears to be from a legitimate credit union attempting to notify the firm about potential money laundering involving a purported client of the firm,” the information notice read.

The phishing email comes with an attachment containing a malicious document. The email urges the brokerage firms to open the document. Once the attachment is downloaded, the malware gains unauthorized access to the victims’ machine.

Phishing emails purported to be from a BSA-AML compliance officer

Member firms who received such phishing emails reported that the emails purported to be from a BSA-AML compliance officer working at a legitimate Indiana-based credit union.

The member firms further noted that the phishing emails stated that a money transaction made by a firm client to the credit union was put on hold due to a potential money laundering issue.

They further noted that the sender attempted to provide some authenticity to the emails by including a reference to a provision of the USA Patriot Act that relates to the ability of financial institutions to share information with each other.

FINRA noted that these phishing emails also come with a number of other fraud red flags such as,

  • The email address appears to be from Europe instead of the U.S.-based credit union.
  • Numerous occurrences of poor grammar and sentence structure.
  • A request that the recipient opens the email attachment for more details.

FINRA’s recommendations

  • FINRA recommends its member firms to exercise caution while opening or responding to any suspicious emails from unknown senders.
  • It requests firms to not open any links or attachments from anonymous senders.
  • Additionally, it urges brokerage firms to report the incident at or whistleblower[at]finra[dot]org, in case they receive any suspicious emails.

Google Chrome 72 abandons HPKP and patches a bunch of security vulnerabilities

  • Chrome 72 comes with revamped browser settings along with improved security features.
  • The world’s most-used browser will now stop supporting HTTP Public Key Pinning (HPKP) mechanism.

Yesterday, Google announced the latest version of Chrome, v72, to Windows, Mac, and Linux systems. This version is expected to roll out on various devices in the coming days.

Chrome 72 will come with many improvements as well as sporting a revamped look. The Chrome team has also patched 58 major security vulnerabilities that existed in the browser earlier.

Removes HPKP And Resource Rendering In FTP

Chrome 72 does not support HPKP mechanisms. This comes as Google had earlier announced to part ways with the security mechanism as it had problems within its developer framework. In fact, HPKP is quite difficult to implement, which is why fewer websites use it. Strangely, it was Google who introduced this mechanism a few years ago while most browsers did not pick up on this concept.

Apart from leaving HPKP, Chrome has also ditched resource rendering done on FTP sites. Whenever a user loads an FTP link, the browser urges to download media instead of displaying them on the site.

Deprecating TLS 1.0 and TLS 1.1

Google plans to end TLS 1.0 and TLS 1.1 by 2020. These two authentication protocols have been the receiving end of criticism due to inherent vulnerabilities present in them.

“Chrome 72 is only deprecating TLS 1.0 and TLS 1.1, meaning that when users access an HTTPS site using legacy TLS 1.0 or 1.1 certificates, Chrome will show an error in its developer console, but not block users from accessing the site. This will happen starting with Chrome 81,” reported ZDNet, regarding the development.