Cyber Incident Victim: U.S. Financial Industry Regulatory Authority

On August 13, 2020, the U.S. Financial Industry Regulatory Authority (FINRA) issued a regulatory notice alerting its members to a fraudulent website impersonating its official finra.org domain. The imposter site used the domain finnra[.]org, incorporating an extra "n" in the name to mimic FINRA's legitimate web presence. FINRA, a U.S.-authorized regulator for securities brokers, identified this copycat site as a potential vehicle for phishing attacks targeting its member firms. The fraudulent domain featured a registration form designed to harvest sensitive information, which attackers could leverage for subsequent spear-phishing campaigns. While no specific phishing emails linked to finnra[.]org were confirmed at the time of the notice, security researchers identified infrastructure connections suggesting broader malicious activity.

DomainTools analysis revealed the finnra[.]org site shared an IP address with multiple other domains, including x32team.website—a hostname associated with a group that published a 2018 YouTube video demonstrating malicious document creation. Additional domains on the same IP ranged from seemingly legitimate business names like aerolanelogisticsservice.com to overtly suspicious domains such as bnk-us.com and us-govt.com, though their operational status and purposes remained unverified. FINRA advised members to delete any communications originating from finnra[.]org and remain vigilant for targeted attacks if they had submitted information through the fraudulent registration portal. The incident underscored the persistent threat of domain spoofing against financial regulators and their constituents, though the full scope of attacker activity and compromised data was not publicly disclosed.