SBA Loan Phishing - Abnormal Security

SBA Loan Phishing

In this attack, malicious actors impersonate a government sponsored loan program from the Small Business Administration to send phishing emails.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: Office 365
Mailboxes: 15,000 to 50,000
Payload: Malicious Link
Technique: Impersonation

What was the attack?

Setup: Since the onset of COVID-19, a number of small businesses have been negatively impacted, resulting in a loss of revenue and economic hardship for small business owners. Earlier this month, the US government announced $20B in funding for the Economic Injury Disaster Loan Advance Program (EIDL), a program meant to assist small business owners that have been affected by the virus. This attack leverages this program in an attempt to retrieve confidential information from recipients. 

Email Attack: The attack impersonates an automated notification, spoofing an email from the government domain Within the body is a brief message that the user’s application has been approved, along with a link embedded in text that redirects the user to a phishing landing page. 

Payload: The payload is a hidden malicious link. The redirect url is hosted on “leanproconsulting[.]com[.]br/gov/covid19relief/”. The domain is registered to an owner in Brazil, which is a giveaway that this is not a legitimate landing page for a US based program, the subdirectory (covid/19relief/ is meant to intentionally mislead recipients in thinking that it is.

There have been multiple attacks from this sender that lead to similar phishing pages such as “https://spinnersgaming[.]co[.]za/sba/covid19relief/ In this case the domain is registered to an owner in South Africa. 

Result: If recipients are not apt to spot the suspicious url, and enter their username, email, and password they provide attackers with confidential information that can be used for fraudulent purposes.

Why is this attack effective?

Urgency: The email is disguised as a notification of loan approval by the government. Since funding is limited, recipients understand that being selected for the loans is an opportunity that is to be taken immediately. Attackers are relying on this sense of urgency to bypass any red flags. 

Concealed URL: The URL is wrapped within text in the email body that reads Review and Proceed. By hiding the URL, the user must click on the link to reveal where the link leads to. 

Spoofed Email & Convincing landing page: The email seems convincing because the sender email has a .gov domain, leading the recipient to believe this is coming from the government and is legitimate. The landing page is very convincing and has the exact formatting of the actual webpage. 

Widespread Attack: Numerous customers have received this attack. The sender for all campaigns is the spoofed email The authorized domain for that sender is a US IP, whereas the attacks originate from Japanese IPs.

Related content