Small Business Owners in the US Hit with Phishing Campaign Impersonating SBA Officials

An unknown cyber actor is spoofing the Small Business Administration (SBA) COVID-19 loan relief website, trying to trick people into entering their credentials, according to the Cybersecurity and Infrastructure Security Agency (CISA.)

Companies of all sizes are going through difficult economic times right now. The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) is an assistance program in the US designed to help small business owners and others.

All programs that provide funding are targets for criminals, who want to siphon some of those funds or trick legitimate recipients with various schemes. In the case of the phishing campaign targeting small business owners, their goal is straightforward. Attackers look to steal victims’ credentials for use in other, more elaborate scams.

Business owners might be approached by someone pretending to offer approval of an SBA loan, but who requires an payment upfront or offers a high-interest bridge loan in the interim. The most important thing to remember is that SBA does not initiate contact on loans or grants. Any proactive communication coming from someone claiming to be from the SBA likely indicates fraud.

“The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails” says CISA’s advisory. “These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.”

CISA also revealed some indicators of compromise. The email might present differently, but this is how it usually looks.

• A subject line, SBA Application – Review and Proceed
• A sender, marked as disastercustomerservice@sba[.]gov
• Text in the email body urging the recipient to click on a hyperlink to address:
• hxxps://leanproconsulting[.]com.br/gov/covid19relief/sba.gov
• The domain resolves to IP address: 162.214.104[.]246

CISA advises companies to display banners on email from outside sources, keep their security products up to date, disable file and printer sharing services unless they have strong passwords or Active Directory authentication, use caution when opening email attachments, train employees for cyber awareness and more.