PPP Extended Coverage Phishing

In this attack, attackers impersonate a message from the United States government, claiming to provide information on the Paycheck Protection Program in an attempt to steal valuable credentials.

Quick Summary of Attack Target

Platform: Office 365
Mailboxes: Less than 10,000
Bypassed Email Gateway: Proofpoint
Victims: Employees
Payload: Link
Technique: Impersonation

What was the attack?

Setup: Fraudulent actors continue to capitalize on the ongoing pandemic by intercepting information from the vulnerable as Congress extends the Paycheck Protection Program. This attack features an instance where attackers carefully craft an impersonated government message to phish for credentials.

Email Attack: In this attack, the recipient receives an email from what appears to be the government by using a spurious domain and address ‘payments@sba.pppgov.com’. However, the domain is registered to an owner in Torino, IT, which should indicate an immediate red flag as the email claims to provide information for a US-based program. The body of the message claims to provide continued financial relief aid and directs the recipient to the embedded link to learn more. Upon following the link, the recipient is led to a form that acts as a form for PPP loan qualification. 

Payload: The email’s body contains a brief statement regarding Congress’s extension of PPP along with a link to an application form that claims to be a World Trade Finance PPP 2021 Data Collection form. Within the form, the recipient is expected to enter sensitive information including their business legal name, full name, business email, date of birth, social security number, and more.

Result: If recipients fall victim to the phishing ploy and enter their credentials, they provide attackers with confidential information that would expose their business to fraudulent activity.

Why was this attack effective?

Convincing landing page: The email seems convincing because the email contains “gov” in the domain, leading the recipient to believe this is a legitimate message from the government. Further, the email signature is signed as the President of the World Trade Finance organization, in an attempt to legitimize the email.

Widespread Attack: The attack was sent to a mass amount of receipts, increasing it’s chances of someone falling prey. The sender for all campaigns is the same email ‘payments@sba.pppgov.com’.