This blog originally appeared in September 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.
Congress may be in a deadlock over a second stimulus package, but malicious actors are always ready to pounce on the slightest opportunity to exploit the public’s confusion. The US Small Business Administration (SBA) is being impersonated in Coronavirus-themed phishing messages that leverage unfamiliarity with loan application procedures. With many small businesses relying on loans from the SBA to keep their doors open during the quarantine slump, cyber criminals are capitalizing on delays in loan approvals to swindle businesses.
Since at least April, malicious actors have been impersonating the SBA in various campaigns leveraging diverse Tactics, Techniques and Procedures (TTPs), such as malicious payloads, credential harvesters, and stealthy social engineering, all aimed at severely compromising devices and stealing money from companies. In our “How to Stop Financial Phishing Attacks” webinar earlier this year (available on-demand here), we covered one such campaign, which attempted to spread GuLoader malware.
A Simple Yet Effective Approach
The latest wave of attacks involves a clever social engineering tactic that can fly under almost any radar. This phishing message does not contain errant red flags that would maladroitly trigger a litany of detections. Unlike the previously observed campaigns, this wave of attacks does not contain any malicious payloads, only a benign attachment named SBA - Disaster Loan Assistance Form.pdf. The attacker opts for a clever and silent attack vector, relying on the target believing the email is indeed from the SBA.
Looking at the email below, it is clear this is not your typical 419 phishing scam, poorly masquerading as an official entity to solicit money. The attacker ensures that even the smallest of details are correct in order to give the message a more credible appearance:
- First, the Sender email address looks entirely legitimate.
- Second, the target’s full name appears in the body of the message, as opposed to just a mere email address, as is often seen in more low-level attacks.
- Lastly, the message is free of typos and the formatting is clean and professional.
The attacker successfully spoofs the FROM headers of the real SBA Disaster Customer Service account, as seen on the left. Unfortunately, replying to this email will not send your Economic Injury Disaster Loan (EIDL) application to the SBA, but instead to the attacker’s account at the malicious Reply-To domain, as shown on the right.
Just days before launching this campaign, the attacker created the malicious Reply-To domain gov-sba[.]us using bogus registration information. Whois details for this newly registered domain (NRD) are shown below.
Domain Name: gov-sba[.]us Registry Domain ID: D18007599F1554B3DAA9B6AFEA0F4235C-NSR Registrar WHOIS Server: Registrar URL: www.psi-usa.info Updated Date: 2020-08-05T06:22:13Z Creation Date: 2020-07-31T06:22:09Z Registry Expiry Date: 2021-07-31T06:22:09Z Registrar: PSI-USA, Inc. dba Domain Robot Registrar IANA ID: 151 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: C186298DF566447488A165F7E4F5B8F60-NSR Registrant Name: Krikor Derabrahamian Registrant Organization: Registrant Street: Rotenloewengasse 15 Registrant City: Wien Registrant State/Province: US Registrant Postal Code: 1090 Registrant Country: US Registrant Phone: +44.7418440320 Registrant Email: [email protected] Registrant Application Purpose: P5 Registrant Nexus Category: C31/US Registry Admin ID: C5DF36C6EB720453A8CB08A1FC96AB740-NSR Admin Name: Krikor Derabrahamian Admin Organization: Admin Street: Rotenloewengasse 15 Admin City: Wien Admin State/Province: AT Admin Postal Code: 1090 Admin Country: AT Admin Phone: +44.7418440320 Admin Email: [email protected] Admin Application Purpose: P5 Admin Nexus Category: C31/AT Registry Tech ID: C5651DB7CEC1B420BAE1B3F7BE7E214B0-NSR Tech Name: Gerald Auer Tech Organization: World4You Internet Services GmbH Tech Street: Hafenstrasse 47-51 Tech City: Linz Tech State/Province: OOE Tech Postal Code: 4020 Tech Country: AT Tech Phone: +43.73293035 Tech Fax: +43.7329303510 Tech Email: [email protected] Tech Application Purpose: P5 Tech Nexus Category: C31/AT Name Server: ns2.world4you.at Name Server: ns1.world4you.at DNSSEC: unsigned
NRDs are consistently used by attackers to fool users into taking actions that jeopardize the security of their organization. Phishing that leverages NRDs is a particularly effective tactic for a variety of reasons. For one thing, it is a common attacker technique to circumvent Secure Email Gateways (SEGs). New domains have very little history or presence, which allows them to bypass typical blocklists. In fact, a significant number of campaigns that Area 1 Security catches leverage new domains, which are often ephemeral (active only for about 48 hours or less).
Attackers commonly impersonate trusted entities in order to dupe targets into letting their guard down. This is made all the easier by registering an NRD that is also a malicious look-alike domain, in this case gov-sba[.]com. As a result, the true sender domain, buried deep within an email’s headers, is often overlooked. This is particularly the case when phish are opened via mobile devices, such as cell phones, where true sender domains are often hidden, and only Display Names are provided. What’s more, it requires fairly burdensome actions to reveal this type of information in most mobile device (and other purpose-built) mail clients.
To further con targets into filling out the fraudulent EIDL application, the attacker successfully spoofed the SBA’s legitimate sender address, [email protected]. In a stealthy move, the attacker actually inserted an SMTP HELO command, as shown below.
Authentication-Results-Original: 990w8b.myvserver.online; spf=pass (sender IP is 126.96.36.199) [email protected] smtp.helo=sba.gov Received-SPF: pass (990w8b.myvserver.online: connection is authenticated) Reply-To: "U.S. Small Business Administration (SBA)" <[email protected]> From: "U.S. Small Business Administration (SBA)" <[email protected]>
The HELO command told the receiving email server to treat the message as if it originated from SBA’s domain, when in fact the sender actually had a completely different domain and IP address, namely 990w8b[.]myvserver[.]online and 64[.]44[.]141[.]5. This resulted in various legacy email security solutions accepting the message for delivery.
Reply with Bank Details
A target’s reply to this phish is the lynchpin of the whole scam, given the attached EIDL application requests private financial information. Further, the likelihood of a reply is dramatically increased by the seemingly benign and unassuming nature of this purported government form. In the body of the message, the attacker provides instructions to simply reply to the email with a completed EIDL application, of course making sure to note that all personal and banking details must be correct.
Looking at the PDF below, it’s almost impossible to believe this is a forgery, especially with a valid Office of Management and Budget (OMB) form number. In fact, the PDF closely resembles the legitimate Business Information form of the SBA’s online application for EIDL, and even includes an oath at the bottom certifying that all information is true under penalty of perjury. With this attached PDF the attacker clearly has one goal in mind -- steal sensitive account and routing information from businesses.
The only telltale sign that this application is a forgery can be found buried in the document properties, where no typical target would venture:
- Firstly, as seen below, this PDF was created with Skia, an open-source graphics engine for a variety of web platforms. This is a big deviation from the standard Adobe PDF Library that is used to create such documents.
- Secondly, the document’s timestamp reveals that it was recently created on July 31st, 2020, long after the creation of the legitimate EIDL form.
Exposing the Imposter
To thwart these sneaky SBA-themed phish, Area 1 Security uses multiple advanced techniques that leverage insight gained from early identification of attacker campaign infrastructure, enabling superior detection of emails from spoofed domains and accounts. Our anti-phishing service analyzes email for threat indicators, such as recently registered domains, domain name obfuscation, and look-a-like domains. Additionally, the service uses real-time correlation with associated brand infrastructure to verify authenticity.
Area 1 also uses lexical analysis of message body and subject to detect financially driven attacks. Headers are checked for sender display name and true sender mismatches, and SPF, DKIM, and DMARC records are checked to validate the sender. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including those with malicious newly registered domains, that other defenses miss.
The official SBA website provides information on protecting yourself from these scams. The SBA will never proactively contact you for loan applications. If you receive an email asking for additional information regarding an existing loan application, first ensure there is an application number referenced in the email, and it matches your application.
If you suspect that you have received an SBA phishing email, call the Office of Inspector General Hotline at 800-767-0385 or report it online, Office of Inspector General Hotline.
Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology leverages algorithms to uncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real-time versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in that the user is never exposed to the attack.
Indicators of Compromise
Malicious look-alike NRD: