Cyber Risk Aware Blog

Q1 - SEC Filing - Phishing Attack

[fa icon="calendar"] 15-Mar-2017 07:45:00 / by Stephen Burke

Stephen Burke

A sophisticated phishing attack is trying to obtain confidential corporate information by sending spoofed emails claiming to be from the Security and Exchange Commission.

These attacks are targeting lawyers, compliance managers and company officials who file documents with the SEC. Given its coming up to quarter end, raising awareness now is very important.

FIN7 Phishing Campaign

FireEye identified this spear phishing campaign in February 2017, and have a high degree of confidence that this campaign is attributed to the financially motivated group FIN7 whom they have been tracking for some time.

FIN7 selectively target victims and uses spear phishing to distribute their malicious computer programs "malware". FireEye have observed FIN7 attempt to compromise many different organisations.

Spear Phishing Campaign

All of the observed intended recipients of the spear phishing campaign appear to be involved with SEC filings which makes sense given many are listed in past company filings which are available to the public to read. The sender email address is spoofed as EDGAR <> with the attachment named “Important_Changes_to_Form10_K.doc”.


Current Victims

Thus far, FireEye directly identified eleven targeted organisations, all based in the United States with many having international presences, in the following sectors:

  • Financial services( insurance, investment, card & loan services)
  • Transportation
  • Retail
  • Education
  • IT services
  • Electronics

As the SEC is a U.S. regulatory organisation, we would expect recipients of these phishing attempts to work for U.S.-based organisations but could be located elsewhere.

However, it is worth noting that it is entirely possible that the attackers could perform similar activities masquerading as other regulatory organisations in other countries such as the FSA in the UK or the CBI in Ireland, for example.

Cyber Criminal Syndicate

John Miller, a director of threat intelligence at FireEye, described the attackers as among "the most sophisticated financial actors" and said their methods were similar to hackers who targeted ATM machines and other parts of the banking system. He also warned that the hacking tools they sought to install were particularly nasty.  

“It's the Swiss army knife of malware. It lets you do whatever you want to with the compromised system," Miller said. Fin7 is the first international cybersyndicate, a group of cybercriminals from Russia, Ukraine and other parts of Europe and China.

Assess Your Susceptibility to Phishing Emails

If you would like to test how susceptible your staff are to phishing emails and deliver instant user feedback or awareness training with our "golden nugget" (5 min) content that staff really enjoy, please register for a free trial or email

Request Cyber Risk Aware Demo

Topics: Phishing, Spear Phishing, Staff Awareness

Stephen Burke

Written by Stephen Burke