COVID relief phishing emails spoof SBA
- By Derek B. Johnson
- Aug 11, 2020
Scammers are using particularly sophisticated phishing attacks to divert coronavirus relief funding from struggling Americans and companies.
Emails that appear to be from the Small Business Administration are being sent to business owners, CEOs and CFOs, enticing them to download malware and hand over personal banking information, according to new research from Malwarebytes Labs, which sells anti-malware software
According to Jérôme Segura, the company's director of threat intelligence, one such attack took place in April advised victims that their application for a disaster small business loan was complete, but they first needed to complete an attached form to finalize the deal. In reality the attachment, disguised as an image file, was actually an .exe file containing the GuLoader malware designed to bypass antivirus detection.
Another attack discovered by researchers in August was even more clever. Emails appearing to come from the same SBA address also attached PDF loan documents, and to anyone who didn't study the metadata closely or have their email settings configured correctly, both appeared to legitimately come from the federal government.
By checking the "received field," researchers found it came from a hostname that was already caught in a separate email scam. Anyone who attempted to reply to the email would find that they were actually responding to a new, unofficial email address hosted by a domain registered just days before the campaign kicked off.
The attached PDF looked identical to the version individuals could download on SBA's website, but an examination of the metadata revealed that the PDFs were created with different tools, another suspicious sign. Another red flag: The "agency" asked users to send their completed form back via email with relevant banking details, rather than printing it out and sending it through the mail.
"Most people aren't aware of email spoofing and believe that if the sender's email matches that of a legitimate organization, it must be real," wrote Segura in an Aug. 10 blog post detailing the research. "Unfortunately, that is not the case and there are additional checks that need to be performed to confirm the authenticity of a sender."
Taking similar precautions can help users sniff out similar scams in the future, but there are also steps the less technically inclined can take to protect themselves.
"Because we can't expect everyone to be checking for email headers and metadata, at least we can suggest double-checking the legitimacy of any communication with a friend or by phoning the government organization," Segura wrote. "For the latter we always recommend to never dial the number found in an email or left on a voice mail as it could be fake."
The federal government has distributed more than $3 trillion in relief funding tied to the COVID-19 pandemic since March, including small business and payroll loans disbursed by the SBA and Department of the Treasury and economic stimulus checks for American families processed by the IRS. Nearly all of those programs have been targeted relentlessly by scammers and cyber criminals.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.