Scammers spoof SBA to get disaster loan dollars

The campaign was still active in early August, the latest evidence that the economic assistance tied to COVID-19 remains an attractive target for cyber criminals.

shutterstock image id ID: 186823331 by DD Images

It's no secret that scammers and hackers have targeted the coronavirus pandemic and the federal agencies charged with disbursing hundreds of billions of dollars to struggling Americans and companies.

Now, new research from Malwarebytes Labs, which sells anti-malware software, reveals an email spoofing and phishing campaign impersonating the Small Business Administration

According to Jérôme Segura, the company's director of threat intelligence, the campaign targeted business owners, CEOs and CFOs and sought to entice victims to download malware and hand over personal banking information. One such attack took place in April, right as the pandemic was killing thousands of Americans every day and businesses were under lockdown and facing economic ruin.

Emails that appeared to come from an SBA address advised victims that their application for a disaster small business loan was complete, but they first needed to complete an attached form to finalize the deal. In reality the attachment, disguised as an image file, was actually an .exe file containing the GuLoader malware designed to bypass antivirus detection.

Another attack discovered by researchers in August was even more sophisticated. Emails appearing to come from the same SBA address also attached PDF loan documents, and to anyone who didn't study the metadata closely or have their email settings configured correctly, both appeared to legitimately come from the federal government.

By checking the "received field," researchers found it came from a hostname that was already caught in a separate email scam. Anyone who attempted to reply to the email would find that they were actually responding to a new, unofficial email address hosted by a domain registered just days before the campaign kicked off.

The attached PDF looked identical to the version individuals could download on SBA's website, but an examination of the metadata revealed that the PDFs were created with different tools, another suspicious sign. Another red flag: the "agency" asked users to send their completed form back via email with relevant banking details, rather than printing it out and sending it through the mail.

"Most people aren't aware of email spoofing and believe that if the sender's email matches that of a legitimate organization, it must be real," wrote Segura in an Aug. 10 blog post detailing the research. "Unfortunately, that is not the case and there are additional checks that need to be performed to confirm the authenticity of a sender."

Taking similar precautions can help users sniff out similar scams in the future, but there are also steps the less technically inclined can take to protect themselves.

"Because we can't expect everyone to be checking for email headers and metadata, at least we can suggest double-checking the legitimacy of any communication with a friend or by phoning the government organization," Segura wrote. "For the latter we always recommend to never dial the number found in an email or left on a voice mail as it could be fake."

The federal government has doled out more than $3 trillion in relief funding tied to the COVID-19 pandemic since March, including small business and payroll loans disbursed by the SBA and Department of the Treasury and economic stimulus checks for American families processed by the IRS. Nearly all of those programs have been targeted relentlessly by scammers and cyber criminals.