January 29, 2021
Abnormal Security
In this attack, attackers impersonate a message from the United States government, claiming to provide information on the Paycheck Protection Program in an attempt to steal valuable credentials.
Platform: Office 365
Mailboxes: Less than 10,000
Bypassed Email Gateway: Proofpoint
Victims: Employees
Payload: Link
Technique: Impersonation
Setup: Fraudulent actors continue to capitalize on the ongoing pandemic by intercepting information from the vulnerable as Congress extends the Paycheck Protection Program. This attack features an instance where attackers carefully craft an impersonated government message to phish for credentials.
Email Attack: In this attack, the recipient receives an email from what appears to be the government by using a spurious domain and address ‘payments@sba.pppgov.com’. However, the domain is registered to an owner in Torino, IT, which should indicate an immediate red flag as the email claims to provide information for a US-based program. The body of the message claims to provide continued financial relief aid and directs the recipient to the embedded link to learn more. Upon following the link, the recipient is led to a form that acts as a form for PPP loan qualification.
Payload: The email’s body contains a brief statement regarding Congress’s extension of PPP along with a link to an application form that claims to be a World Trade Finance PPP 2021 Data Collection form. Within the form, the recipient is expected to enter sensitive information including their business legal name, full name, business email, date of birth, social security number, and more.
Result: If recipients fall victim to the phishing ploy and enter their credentials, they provide attackers with confidential information that would expose their business to fraudulent activity.
Convincing landing page: The email seems convincing because the email contains “gov” in the domain, leading the recipient to believe this is a legitimate message from the government. Further, the email signature is signed as the President of the World Trade Finance organization, in an attempt to legitimize the email.
Widespread Attack: The attack was sent to a mass amount of receipts, increasing it’s chances of someone falling prey. The sender for all campaigns is the same email ‘payments@sba.pppgov.com’.
Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.