NEW YORK—A newly discovered phishing campaign is spoofing a U.S. Small Business Administration loan offer in an attempt to steal banking credentials and other personal data.
This campaign appears to have started in early August, reported Bank Info Security, citing information from Malwarebytes. Another phishing attack in April also used spoofed SBA messages, but it was created to spread a dropper called GuLoader, which is used to distribute other malware.
Since the COVID-19 pandemic began, the SBA has been overseeing the Payroll Protection Program to help funnel loans to U.S. small businesses that have been disrupted. Fraudsters have used the agency's images and logos as part of fraud campaigns designed to harvest victims' credentials or steal financial information, Bank Info Security noted.
In the phishing campaign that Malwarebytes discovered, the victims are asked to fill out an attached "disaster loan assistance" form that asks for personal as well as banking details. The document spoofs legitimate SBA loan applications.
"This is ... a pretty clever and daring scheme that tricks people into completing a full form containing highly personal information, including bank account details," Jerome Segura, director of threat intelligence at Malwarebytes, said.
Legitimate SBA Address, But…
The spoofed messages have a legitimate SBA email address embedded in the body of the email. But if the victim hits the reply button, they see a slightly different, malicious address. Malwarebytes analysts found that the domain associated with this fraudulent email address, gov-sba[.]us, was registered on July 31 and is not associated with the SBA, Bank Info Security stated.