SBA Phishing: Malicious Actors "Return to Roots" in the Hunt for Money

By Eric Howes, KnowBe4 Principal Lab Researcher. The COVID-19 pandemic continues to dominate news headlines as well as the development of malicious email attacks designed to separate users and organizations from their money. Among the more persistent social engineering schemes we’ve seen deployed by malicious actors are phishing emails that exploit the several financial programs offered by the U.S. federal government to provide monetary relief in one form or another to individuals, businesses, and other organizations.

These social engineering schemes first popped up back in March and early April during the initial surge of coronavirus-themed phishing emails, and they’ve been with us ever since. Although some of these malicious emails have targeted businesses and organizations, most of the “COVID-19 Relief” phishes reported to us by customers using the Phish Alert Button (PAB) have been clearly aimed at individual users concerned about their own personal financial situation.

Over the past two weeks, however, we’ve spotted some interesting and dangerous new variations on this basic phishing attack.

The Development of “COIVD-19 Relief” Phishing

The majority of “COVID-19 Relief” phishing emails reported to us target individual users by employing the oldest trick in the book: the offer of free money. Here’s a fairly typical example:

As with the above email, these individually-targeted “COVID-19 Relief” schemes typically invoke a well-known brand or authority to lend credence (of some sort) to the monetary dangle. In addition to the WHO (World Health Organization) we’ve seen the bad guys spoof the IRS:


…the UN:

…as well as the Gates Foundation:

If there have been been similar runs of malicious emails invoking the IMF (International Monetary Fund), the CDC (Centers of Disease Control), or Google, we aren’t aware of them. We wouldn’t, however, be surprised to learn of their existence, as all of these organizations have proven to be popular with malicious actors looking to establish credibility with end users.

As you might expect, the majority of these individually-targeted emails lead to malware installations or credentials phishes, though some appear to be classic “advance fee” fraud schemes.

Businesses and organizations have also been targeted by fraudsters, though.

As reported by mainstream media, enterprising fraud artists have set their sight on businesses that might have an interest in pursuing in one of the several financial relief programs offered by the Small Business Administration (SBA), the best known of which is the Paycheck Protection Program (PPP). To no one’s surprise, these programs have been beset by fraud, much of it involving fake or bogus offers to facilitate loans for cash-strapped businesses and organizations.

Malicious actors who ply their trade through phishing emails, however, have used the SBA for somewhat different purposes: as bait for social engineering schemes that trick recipients into clicking through to credentials phishes and malware installs — the usual end game for malicious actors attempting to breach corporate networks.

This fairly typical phish spoofs the SBA to dangle a document with information about the approval status for an SBA-backed loan in front of small business owners.

Although the SBA’s now familiar logo appears, the email is, curiously enough, signed by “The Google Team.” There is no document, of course – only credentials phish:

Other SBA-spoofs deliver malware, however.

Note the attached .IMG file — an image file format similar to .ISO files that is increasingly popular with malicious actors — which in turn yields a malicious executable, itself a trojan dropper.

Although direct spoofs of the SBA are common enough, plenty of other malicious emails spoof the SBA via proxy — offering up purported documentation or information from the SBA via a trusted intermediary. Take for example this phish, which spoofs Docusign (though not very well) as well as the SBA:

…and takes unwitting clickers to the usual credentials phish:

Malicious actors who prosecute this particular social engineering scheme are perfectly capable of using legitimate online services to deliver their malicious emails instead of just spoofing them (as in the fake Docusign email above). Although this next example spoofs Bank of America, it is delivered through Sendgrid, a well-known email service provider:

Another popular vehicle for delivering malicious SBA-themed phishing emails is Dropbox:

Note the bogus email address provided for the SBA towards the bottom of the email body.

Often the bad guys don’t even bother spoofing an intermediary, however, electing instead to present users with some kind of PPP-related document:

One might doubt the effectiveness of this kind of bare-bones phish, but when business owners are cash-strapped and looking into a financial abyss basic good judgement often goes out the window.

Meet the New Phish, Same as the Old Phish

As noted earlier, the vast majority of these “COVID-19 Relief” phishing emails — whether targeted at individuals or organizations — have pursued the usual end game for malicious actors: credentials phishes, malware installs, and “advance fee” fraud schemes.

Over the past few weeks, however, customers using the Phish Alert Button (PAB) have reported an interesting and alarming variation on the SBA-themed social engineering scheme targeted at businesses and organizations. Let’s take a look.

This is a convincing, high-quality spoof of the SBA — a clear cut above any of the previous emails we’ve looked at here. For comparison, here’s a legitimate email from the SBA:


Leave a Reply

Your email address will not be published. Required fields are marked *