Update: Financial Advisor Impersonation Ring Targets FINRA
Escalation in Financial Advisor Impersonation Tactics
DomainTools Research continues to track a well-organized financial advisor impersonation campaign with close ties to West Africa which was first shared in January. Notably, this financial advisor impersonation fraud ring now attempts to impersonate the Financial Industry Regulatory Authority (FINRA), an independent financial regulator that provides essential support to protect investors and brokerages, to solicit additional identity verification documents from victims in the name of anti-money laundering (AML) procedures.
This update explores how this added layer of deception represents an escalation in tactics by this fraud ring and presents additional risk to consumers and financial institutions. We will use one such financial advisor impersonation website as a specific example.
Due to privacy concerns for those being impersonated, financial advisor names, domains containing legal names, contact information, photographs, and the associated financial institutions these advisors represent have been excluded or redacted. While this limits the IOCs we can share publicly, we want to err on the side of caution to protect those being impersonated.
A Brazen Attempt to Deceive Investors and Steal Identity Documents
FINRA, which is authorized by the U.S. Congress and works closely with the Securities and Exchange Commission, states that it oversees more than 624,000 financial brokers.
We first reported that the fraudsters used FINRA as a repository from which they gathered investment advisor data for impersonations. Now we believe the fraudsters tied to this campaign are attempting to pose as FINRA itself to bolster their own false claims and collect identity verification documents from unwitting victims. Figure 2 contains a screenshot from a financial advisor impersonation website claiming that “Finra” (sic) is their “KYC and AML services provider.”
This tactic attempts to exploit investor confusion regarding the role of FINRA in how it regulates financial advisors by brazenly claiming that FINRA is their know-your-customer (KYC) and anti-money laundering (AML) provider. Within the context of financial services, KYC and AML are anti-fraud procedures where the customer (or client) provides documents to prove their identity. To be clear, FINRA does not provide these services. Instead of using KYC as a necessary process to validate a client or customer’s identity to prevent fraud, this impersonation campaign uses the guise of KYC to commit additional fraud.
That same financial advisor impersonation website from Figures 1 & 2 also contains an “investor” panel that allows potential victims to upload identity documents, as shown in Figure 3. Examples of such documents include:
- government-issued documents like passports, ID cards, or driver’s licenses;
- utility bills;
- proof of residence like a rental agreement or mortgage; and
- bank account statements.
These documents are highly valued in fraud communities. A victim that uploads identity documents to a fraudulent service will likely see those documents sold by or otherwise shared within several cybercrime communities. This represents a significant ongoing fraud risk for victims which may haunt victims for years. And remember, this new identity fraud exists in addition to the existing cryptocurrency “investment” scam which remains the core mode of operation for this fraud ring. By combining these two fraudulent activities together on one financial impersonation website, the fraud rings look to create an ‘air of legitimacy’ to both scams by reinforcing a broader set of information that a possible customer may expect to see.
FINRA Impersonation Infrastructure
Reviewing the impersonation website’s page source reveals the FINRA impersonation domain finraglobal[.]org and email address admin@finraglobal[.]org (Figure 4). The domain finraglobal[.]org uses the host 82.180.172[.]248 which is provided by Lithuania-based Hostinger. Passive DNS record analysis also reveals several dubious cryptocurrency investment domains appearing on this same host. DomainTools Research cannot verify the ownership relationship between this Hostinger infrastructure and the SpeedHost247-hosted infrastructure referenced in the previous blog post.
IOCs:
- 82.180.172[.]248
- finraglobal[.]org
- admin@finraglobal[.]org
Conclusion
A fraudster’s brazenness is perhaps only matched by their creativity. This West African-based financial advisor impersonation ring has expanded their set of activities to include both cryptocurrency “investment” scams and identity theft via fraudulent KYC identity workflows. By using regulatory organizations like FINRA to further bolster their schemes, the fraudsters have escalated their tactics and, in doing so, created an even more treacherous environment for investors and brokerages.
It remains to be seen whether FINRA imitation meaningfully increases a financial advisor impersonation campaign’s success rate or meaningfully increases victim losses, but such a shift should bring investor and broker alike pause. We urge investors to exercise caution when considering investments and thoroughly review prospective financial advisors. Investors should view cryptocurrency and other non-traditional investment vehicles with “guaranteed” rates of return with a healthy dose of skepticism. We also suggest that prospective clients contact their financial advisors through several different methods, such as via the telephone, Internet video call, and even in person, if practical. Finally, when a website asks for specific identity documentation, be sure you understand to whom you are really sharing this information.
For financial institutions facing these increasingly brazen impersonation campaigns, Internet infrastructure information related to these domains and hostnames, in conjunction with context from your SOC or threat intel team, can make the difference in identifying and mitigating these scams before they can affect your organization or your customers.
DomainTools has the data and resources to help. Please contact us for a demo if you’d like to see how our tools can fit with your business needs.
