In a blog post on Tuesday, cybersecurity vendor FireEye’s threat research team said it had identified a spear phishing campaign that targets corporate finance teams involved in preparing Securities and Exchange Commission filings.
Spear phishing is “the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information,” according to Wikipedia.
In the attacks, which FireEye discovered in late February, the sender address of the fraudulent emails is spoofed as EDGAR <email@example.com> and the attachment is named “Important_Changes_to_Form10_K.doc,” according to FireEye. The emails contain a Microsoft Word document attachment.
The intended recipients of the spear phishing campaign all appeared to be involved with SEC filings for their respective organizations, said FireEye. “Many of the recipients were even listed in their company’s SEC filings,” the company said in the blog post.
FireEye said on Tuesday that it has identified 11 organization that have been targeted by the spear phishing campaign. They are in the financial services, transportation, retail, education, IT services, and electronics industries.
According to FireEye, “as the SEC is a U.S. regulatory organization, we would expect recipients of these spear phishing attempts to either work for U.S.-based organizations or be U.S.-based representatives of organizations located elsewhere. However, it is possible that the attackers could perform similar activity mimicking other regulatory organizations in other countries.”
Based on the tools, tactics, and procedures used by the fraudsters, FireEye said the perpetrator was mostly likely FIN7, a “financially motivated threat group” that “selectively targets victims and uses spear phishing to distribute its malware.”
FireEye said it has “observed FIN7 attempt to compromise diverse organizations for malicious operations — usually involving the deployment of point-of-sale malware — primarily against the retail and hospitality industries.”
What kind of information is FIN7 trying to scam from finance organizations? FireEye is unsure.
“We have not yet identified FIN7’s ultimate goal in this campaign, as we have either blocked the delivery of the malicious emails or our [FireEye as a Service] team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft,” according to the FireEye blog post.
“However, we surmise FIN7 can profit from compromised organizations in several ways. If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse. Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.”
The malware being used in the campaign has previously been used in attacks designed to conduct fraudulent banking transactions and compromise ATMs.