Representing financial professionals, financial institutions and investors in investment loss, employment and disclosure matters, and in regulatory investigations nationwide.

FINRA issues Cyber Alert regarding quishing attacks targeting firms

On Behalf of | Jul 9, 2024 | FINRA Compliance

The Financial Industry Regulatory Authority has issued a Cyber Alert to warn member firms about an advanced social engineering attack known as ‘quishing’.

It is a business email compromise (BEC) attack that uses QR codes in embedded PDF documents to redirect victims to phishing URLs.  These attacks are considered especially difficult to monitor with typical endpoint detection because victims typically scan the QR codes on their personal mobile devices that they may be using for business purposes.

FINRA’S alert states that ONNX Store, a Phishing-as-a-service platform (PhaaS)1, is targeting Microsoft 365 (M365) accounts at FINRA member firms.

Regulators said ONNX Store is particularly successful in executing BEC attacks because it:

-Uses QR codes to redirect victims to phishing sites that mimic the legitimate M365 login page, allowing for the execution of Adversary-in-the-Middle (AitM) attacks;
-Circumvents two-factor authentication (2FA) by intercepting 2FA requests;
-Uses specific hosting services to delay the takedown of phishing domains;
-Purportedly uses encrypted JavaScript code to further evade detection.

Firms were advised to review this information with any vendors who provide them with information technology services.

FINRA detailed some of the effective practices firms may consider as part of a comprehensive cybersecurity program, including:

-Ensure IT personnel are aware of the quishing attack vector.
-Provide end-user awareness training to warn against the threat of social engineering, including the risks associated with malicious PDF attachments and scanning QR codes.
-Exercise caution when receiving unsolicited requests or items (e.g., QR codes, PDF attachments, hyperlinks), including those that foster a sense of urgency.
-Avoid providing sensitive information on websites reached through an unsolicited QR code or link – instead, opt to visit sites directly by manually typing trusted website addresses into an internet browser.
-Update email server settings to block attachments from unverified senders.
-Shorten login token expiration times.
-Impose additional defense in depth tactics (e.g., leverage domain name system security extensions (DNSSEC) and security monitoring tools to detect anomalous behavior).
-Implement additional forms of multi-factor authentication (i.e., use hardware keys).

The attorneys at Lewitas Hyman fully understand the regulatory scrutiny financial professionals and their firms face from the various regulators that oversee the financial services industry. We have decades of experience representing clients with respect to examinations, investigations and enforcement proceedings initiated by the SEC, FINRA, state securities regulatory agencies and other self-regulatory organizations. If your firm is facing an investigation from a regulatory agency, please contact Lewitas Hyman at (888) 655 6002 or through our online contact form.