The CISA (Cybersecurity & Infrastructure Security Agency) has recently published an advisory, warning of a new phishing campaign that specifically targets business owners who have received pandemic relief in the form of loans from the Small Business Administration. Apparently, according to the advisory, the campaign was launched toward the end of July 2020 by an as yet unknown group of hackers. It was altered slightly in August.
In the initial wave of emails, the goal seemed to be to steal SBA login credentials. The latest effort focuses much more on attempting to trick recipients into providing a range of personal and financial information.
The campaign emails all bear subject lines that are some variant of “SBA Application – Review and Proceed” and comes from the (spoofed) email address: disastercustomerservice@sba.gov.
A link embedded in the body of the email claims to take the recipient to the SBA signup where they will sign in to receive financial assistance. Naturally, the website is merely a spoof of the actual SBA page, replicated over several top-level domains.
Security researchers tracking the campaign note that some of the phishing emails direct recipients to websites containing the GuLoader malware that is used to drop other malware payloads onto the machines of unsuspecting users. Researchers note that the most recent wave of emails uses social engineering techniques that are sophisticated enough to fool even some security professionals.
If you are a business owner and have received pandemic relief or are considering applying for benefits, your best bet is to ignore any emails you might receive. Instead of clicking email links that promise to take you to the SBA’s website, open a new browser tab, and manually navigate your way there. It’s a shame that hackers are taking such an advantage at a time like this, but sadly, it’s not much of a surprise.
