How phishing attacks have exploited the US Small Business Administration

COVID-19 has proved to be a field day for cybercriminals who have used the outbreak to create malware associated with the virus and its various repercussions. One popular tactic is to spoof organizations involved in relief efforts, whether medical or financial.

The US Small Business Administration has been offering loans to businesses and other groups affected by the pandemic and lockdown, turning it into a target ripe for impersonation in phishing attacks. A report published Monday by security firm Malwarebytes tracks some of the different phishing campaigns that have sought to exploit the SBA.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium) 

First wave

April saw the first round of coronavirus-related attacks designed to deploy malware. Phishing emails were found containing malicious attachments with names such as “SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.img.” The emails used the SBA logo and branding and prompted recipients to complete a grant for small business disaster assistance. One piece of malware hidden in the attached files was GuLoader, which is used to download the payload of your choice at the same time it attempts to evade antivirus detection.

Second wave

Following the April campaign, a second wave of phishing emails appeared, complete with SBA logos and branding and claiming to be from the SBA’s Office of Disaster Assistance. Promising that the recipient’s SBA application has been approved, the message invited them to click a button to review the funding process. The link in that button took users to the phishing page, which attempted to obtain certain account credentials as a way to scam them in the future. The main tipoff comes from the URL that pops up when you hover over the button as the address has no connection with the SBA.

Third wave

Spotted by Malwarebytes in early August, a third wave of phishing emails ask the recipient to fill out an attached form for disaster loan assistance. The user is prompted to provide both personal and financial information, specifically bank account details. As with the other campaigns, this one uses SBA branding and sender addresses that seem to come from the agency. However, the domain for the phishing page was registered just a few days prior to the campaign and clearly doesn’t belong to the government, according to Malwarebytes.

Digging into these emails can also reveal clues as to their legitimacy, or lack thereof. Depending on your email client, you can often view the header information for each specific message. For example, in Microsoft Outlook, you’d click the File menu and then select Properties. In the Internet headers section, the Received address displays a host name. With these latest phishing emails, the host name showed a URL that looked suspicious to Malwarebytes and was actually described in another scam campaign.

Beyond digging deeper into the emails, Malwarebytes offers other advice on how to protect yourself against these phishing attacks.

Check the DOJ and SBA websites. Both the Department of Justice and the Small Business Administration have warned of scams pertaining to loans. Their respective sites provide tips on how to steer clear of malicious schemes.

Beware the sender’s address. Perhaps the biggest takeaway, especially when it comes to phishing emails is that the sender’s address can easily be spoofed and is in no way a solid guarantee, even if it looks exactly the same.

Double-check the information. Double-check the legitimacy of any suspicious email by phoning the organization. Never dial the number found in an email or left on a voice mail as it could be fake.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see