Spoofing the Small Business Administration (SBA): One Scam, Many Purposes

A channel to distribute malware

• Attackers leveraged fake SBA relief loans as a lure to distribute malware, such as GuLoader, Zeus Sphinx, SILENTNIGHT banking malware and Remcos RAT.
• These malware were dispatched in the form of attachments through emails disguised as either the U.S. Government SBA (SBA.gov) or organizations that distributed the COVID-19 relief funds. 
• These emails were designed in a way that enabled criminals to load malware of their choice without being detected by antivirus. 
• Moreover, a survey conducted by IBM in April revealed that close to 40% of small business owners had received at least one email pretending to be from fake SBA officials. However, the actual purpose of these emails was to deploy malware on user devices. 

A giveaway for phishing attempts 

• The second wave of SBA phishing attacks is primarily used to collect credentials and other personal information from victims.
• Lately, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an alert about a phishing campaign that spoofed the SBA COVID-19 loan relief website to steal credentials and redirect users to malicious websites.  
• Threat actors added an additional layer of social engineering to SBA scams and tricked people into completing a fake form that asked details about their personal information, including bank account details. 

Other security concerns

• Besides spoofing attacks, vulnerabilities in websites handling SBA relief funds can also expose personal data of applicants.
• In April 2020, the U.S Small Business Administration had suffered a data breach, affecting close to 8,000 applicants who applied for the Economic Injury Disaster Loan program (EDIL). The issue arose due to a vulnerability in the website.

The uncertainty still surrounds