Merci de désactiver le bloqueurs de pub pour visualiser cette vidéo.
The Autorité des marchés financiers (AMF) is warning professionals about the extensive fraudulent and malicious use of its name, with links to various websites that could trick people into running a malicious computer program
16 January 2024

The Autorité des marchés financiers (AMF) is warning professionals about the extensive fraudulent and malicious use of its name, with links to various websites that could trick people into running a malicious computer program

The AMF has been informed that a number of players, both regulated and unregulated by the AMF, have received emails and phone calls impersonating the AMF and one of its staff members, inviting them to visit fraudulent sites. To date, two different instances of impersonation have been observed, with no factual evidence to confirm or deny that they originate from the same hostile actor.

Technical investigations are still underway, but the evidence known to date for each scenario are as follows: 

For the first scenario:

  • The email received indicates an alleged “series of important updates to optimise your user experience” and tricks users into visiting a site that turns out to be malicious.
  • The malicious site redirects users to download a Java archive file (.jar), known to date to be a malicious computer program, the precise purpose of which is not yet known, but which it is reasonable to believe allows the person who opened it to take control of their workstation.
  • The technical elements are as follows: 
    • Subject of email: “geco amf 2024 update”
    • Actor copying or receiving the email: “extern@ssl-sender[.]com” 
    • Link to malicious site: “https://ssl-sender[.]com/amfupdate/”
    • Name of malicious file: “AMF-KEY-2024.jar”
    • Cryptographic fingerprints of the malicious file:
      • MD5 : e44be98fdc3e442dcb3c6a873478ad78
      • SHA1 : 56b2d54e8957131c5c3d273e1ab60bc43d78127b
      • SHA256 : 1029b217ffdc43c0f4cec916cceef1ae934f12bb71850b6050d8b3a65bfa5711

For the second scenario:

  • The email received refers to an alleged “invoice”, bearing a number starting with “AMFKEY”, which allegedly contains an “error”. The recipient is asked to “please examine the invoice as soon as possible and confirm the corrected information”
  • The technical elements are as follows:
    • Subject of email: “Confirmation required for invoice payment ”
    • Link to the malicious site: “https://sldbprivate[.]com/protepargne.amf-france.org/update20240111.html”

The AMF invites professionals who receive such emails or who receive a phone call relating to these scenarios to:

  • carry out a prior art search on their information system: to do this, the square brackets inserted “[“ and ”]” in the technical elements above must be removed;
  • be careful not to click on the fraudulent link contained in the message and not to run the malicious computer program, in order to prevent any risk of infection;
  • implement appropriate technical blocking measures;
  • and contact the AMF Epargne Info Service team, quoting “AMFKEY” as the subject:

The institution will forward this information to the public prosecutor.

About the AMF

The AMF is an independent public authority responsible for ensuring that savings invested in financial products are protected and that investors are provided with adequate information. The AMF also supervises the orderly operations of markets.Visit our website https://www.amf-france.org/en 

AMF Communications Directorate