NPOs and NGOs are no stranger to cyber attacks targeting their members. A few examples of recent phishing campaign subjects include:

Mercy Corps and the International Federation of Red Cross and Red Crescent Societies in 2020: Along with various aid groups, suffered from rising cyber attack volumes capitalizing on the COVID-19 pandemic.

Political and NGOs in South and East Asia from 2014 to 2020: Perpetrated by targeted attack group Bronze President and used a combination of specially crafted and publicly available tools to monitor target organizations’ activities to discredit them or steal their intellectual property.

United Nations Children’s Fund (UNICEF) in October 2019: Used fake domains such as session-services[.]com and service-ssl-check[.]com.

More recently, phishers used a Financial Industry Regulatory Authority (FINRA) look-alike domain in an attempt to breach several of its members’ networks. Tasked to oversee 624,000 brokers in the U.S., attacking FINRA’s clientele could yield a hefty sum should phishing email recipients fall for the ruse.

How FINRA Members Can Avoid Getting Phished

Publicly available information on the phishing scam identified the domain invest-finra[.]org as an indicator of compromise (IoC). Using a bevy of WHOIS, Domain Name System (DNS), and IP intelligence tools, we listed telltale signs of typosquatting domain use (even if its WHOIS record has been redacted) that FINRA members could take note of to avoid getting phished.

WHOIS Lookup: Used to spot differences that could point to malicious activity by comparing the WHOIS records of the official FINRA domain (finra[.]org) with that of the phishing domain (see Table 1).

Reverse WHOIS Search: Used to find domains that contain “finra.” Some of these may not be publicly attributable to the organization. If that is the case, further scrutiny may be required should other domains that have not yet been disclosed and not under FINRA’s control figure in other attacks.

A lookup for all domain names containing the string “finra” yielded a list of 439 domains. Of these, only 365 are possibly owned and maintained by the organization because they shared the legitimate FINRA domain’s registrant organization name and country. Around 16% or 71 domain names do not share the said data points or could not be publicly attributed to FINRA. Among the non-publicly attributable domain names, finra-apple[.]com proved malicious.

DNS Lookup API: Used to determine IP addresses related to the fake FINRA domain. Our search revealed the IP address 217[.]70[.]184[.]38, which proved malicious when subjected to a search on VirusTotal.

Reverse IP/DNS Lookup: Used to identify domain names that resolved to the same IP address as invest-finra[.]org. We uncovered several domain names, some of which were dubbed “suspicious” by VirusTotal (e.g., 0011100[.]xyz and 001952[.]xyz) and others “malicious” (e.g., 020408[.]xyz and 0a0074066c49886a39b5a3072582f5d6[.]net).

The Attack Surface Discovery Lowdown

By utilizing various WHOIS, DNS, and IP intelligence sources, we were able to proceed with an attack surface discovery analysis and obtain more IoCs apart from the one that has been publicly reported. These include:

• 71 domain names, one of which has proven malicious
• An IP address that was also dubbed “malicious”
• At least 300 domains that resolved to the same IP address as invest-finra[.]org, some of which were cited as “suspicious” and others “malicious”

Companies that liaise with FINRA could protect their systems and networks better from phishing and more sinister attacks by including additional IoCs like the following ones to their blacklists:

• finra-apple[.]com
• 217[.]70[.]184[.]38
• 0011100[.]xyz
• 001952[.]xyz
• 020408[.]xyz
• 0a0074066c49886a39b5a3072582f5d6[.]net

As this short study showed, consulting as many available threat intelligence sources helps organizations maintain a more secure network by identifying as much of their potential attack surface as possible.