This is some text inside of a div block.

Phishing attacks targeting SBA loan relief accounts

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about phishing attacks.



Diriga Team



April 3, 2022

August 13, 2020

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about phishing attacks targeting various government agencies which aimed to steal logins to the COVID-19 loan relief accounts for the small business administration.

This initiative was launched at the end of July and targets state , local, tribal , and territorial government agencies from the Federal Civilian Executive Branch and.

Security analysts saw the threat actor use persuasive tactics in a newer phishing attack that started in August to confuse potential victims into sharing personal and financial information.

Sensitive Data May Have Been Leaked

CISA ‘s warning includes vulnerability indicators which will help recipients detect the phishing attack and take appropriate action against it.

The fake email has the subject line “SBA Request-Review and Proceed” and comes from “disastercustomerservice@sba[.]gov” spoofed email address.

A link in the email body promises to take the recipient to the account sign-in page on the SBA website. Credentials entered on this page end up with the attacker.

The fraudster is using several domains to host the phishing website, some of which have Brazil’s top-level domain. You can find a free list of IoCs in XML format here.

Malwarebytes’ Jérôme Segura also found this program along with variants thereof. In addition to stealing passwords, the researcher also found that GuLoader, a piece of malware that loads other payloads, sent emails from the same spoofed address above.

This initiative took place in April, and was the first phishing attack targeting the SBA. To escape detection, the malware came attached in a small (1MB) IMG disc-image format.

Checking the sender address source of the message will show the real one. The attempt to fraud can only be seen by comparing it with the legitimate text.

Paying attention to the URL in the address bar should make sure that you are not falling for a trick and that you are on the genuine website. CISA advises companies to include external source alert banners for communication.