Spoofing the Small Business Administration (SBA): One Scam, Many Purposes

Since its inception, the COVID-19 pandemic has given birth to a multitude of opportunities for threat actors looking for ways to make quick money, distribute malware, and steal credentials. One of the popular attack vectors that continue to revolve around attackers is targeting the Small Business Administration (SBA) COVID-19 relief loan. 

Here’s a look at how cyber crooks tapped into COVID-19 relief loans to fulfill their malicious intents. 

A channel to distribute malware

  • Attackers leveraged fake SBA relief loans as a lure to distribute malware, such as GuLoader, Zeus Sphinx, SILENTNIGHT banking malware and Remcos RAT.
  • These malware were dispatched in the form of attachments through emails disguised as either the U.S. Government SBA (SBA.gov) or organizations that distributed the COVID-19 relief funds. 
  • These emails were designed in a way that enabled criminals to load malware of their choice without being detected by antivirus. 
  • Moreover, a survey conducted by IBM in April revealed that close to 40% of small business owners had received at least one email pretending to be from fake SBA officials. However, the actual purpose of these emails was to deploy malware on user devices. 

A giveaway for phishing attempts 

  • The second wave of SBA phishing attacks is primarily used to collect credentials and other personal information from victims.
  • Lately, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an alert about a phishing campaign that spoofed the SBA COVID-19 loan relief website to steal credentials and redirect users to malicious websites.  
  • Threat actors added an additional layer of social engineering to SBA scams and tricked people into completing a fake form that asked details about their personal information, including bank account details. 

Other security concerns

  • Besides spoofing attacks, vulnerabilities in websites handling SBA relief funds can also expose personal data of applicants.
  • In April 2020, the U.S Small Business Administration had suffered a data breach, affecting close to 8,000 applicants who applied for the Economic Injury Disaster Loan program (EDIL). The issue arose due to a vulnerability in the website.

The uncertainty still surrounds

It is not just the SBA that is being impersonated. Threat actors are creating similar scams around other well-known financial services companies, such as Wells Fargo and American Express, in a bid to steal funds and financial details from users. 

Though such cyber crimes are only for a matter of time before they come to a halt, researchers suggest that a general lack of awareness and the general public’s confusion when it comes to official communication channels can make the situation worse.